Our smartphones. Where would we be without them?
If you’re anything like me, making a phone call is the fifth or sixth reason to reach for your Android or iPhone. Whichever OS you favor, a good portion of the key components that make up your digital life — email, texting, social media, shopping, banking, hobbies, and work duties — now route through these indispensable contraptions much of the time.
Cybercriminals know this, of course, and for some time now they have been relentlessly seeking out and exploiting the fresh attack vectors spinning out of our smartphone obsession.
Don’t look now, but evidence is mounting that the mobile threats landscape is on the threshold of getting a lot more dicey. This is because mobile services and smartphone functionalities are rapidly expanding, and, as you might expect, cyberattacks targeting mobile devices and services are also rising sharply. Here are a few key developments everyone should know about.
Upon reviewing Android usage data for all of 2018, Google identified a rise in the number of “potentially harmful apps” that were preinstalled or delivered through over-the-air updates. Threat actors have figured out how to insinuate themselves into the processes that preinstall apps on new phones and push out OS updates.
Why did they go there? Instead of having to trick users one by one, fraudsters only have to deceive the device manufacturer, or some other party involved in the supply chain, and thereby get their malicious code delivered far and wide.
In a related development, OneSpan, a Chicago-based supplier of authentication technology to 2,000 banks worldwide, reports seeing a rise in cyber attacks targeting mobile banking patrons. “Popular forms of mobile attacks, at this point in time, include screen scrapers and screen capture mechanisms, as well as the installation of rogue keyboards,” said OneSpan security evangelist Will LaSala.
This isn’t just an Android problem. “Apple’s system is a bit more closed, so you don’t see it as much, but it does exist,” LaSala told me.
Booby-trapped selfie apps
The fact remains that Android commands an 85% share of the global smartphone operating system market, and that’s irresistible to criminals. To wit, Avast researchers recently discovered several “selfie beauty apps” on the Google Play Store posing as legitimate apps. However, the three apps in question — Pro Selfie Beauty Camera, Selfie Beauty Camera Pro, and Pretty Beauty Camera 2019 — were really tools to spread adware and spyware.
On one level, the apps provided the seemingly innocuous functionality of filtering and modifying selfie photos. Below the surface, however, they primarily functioned as tools to aggressively display ads, as well as to install spyware capable of making calls, listening to calls, retrieving the device’s location, and changing a device’s network state.
Forensics conducted by Avast revealed that each app had at least 500,000 installs, with Pretty Beauty Camera 2019 logging over 1 million, mainly by Android users in India. With that many installs, these apps have generated thousands of reviews, most of which rate the apps poorly. And the handful of positive reviews were most likely faked.
Rising mobile threats have not escaped notice by company decision makers who may have thought they had solved security exposures created by BYOD, the trend where employees bring personally owned devices into the workplace.
Companies today routinely issue corporate-controlled devices, or they insist that employees install device management software on personal devices used for work. Meanwhile, mobile security continues to advance, giving companies more options for dealing with shifting BYOD risks.
But the corporate sector is still a long, long way from coming to grips with rapidly expanding mobile security exposures. The problem is a structural one. The supply chain that puts a smartphone (jam-packed with cool apps) into your hands is not as monolithic as it was when PC-centric networks arose.
In mobile, independent app developers have little incentive to deliver secure software, much less participate in any initiatives to improve the security of the platforms they write for. Meanwhile, device manufacturers put out new models so often that it becomes logistically impossible to keep up with vulnerability management. And the telecoms don’t want to get involved in pushing out security updates for fear of bricking millions of phones.
So what does this all add up to for the average consumer? It means the Wild Wild West of mobile attacks is just warming up… and Wyatt Earp is nowhere in sight. It’s up to you to protect yourself and the organizations you care about in today’s increasingly dangerous mobile landscape.
Following these nine best practices tips is a good place to start. In a nutshell: lock your device; click judiciously; use antivirus. Talk more soon.