A report published today by CrowdStrike, a provider of endpoint protection software and services, finds that attacks aimed specifically at mobile computing devices are increasing in both frequency and sophistication.
As end users continue to shift away from traditional desktop and laptop systems in favor of mobile computing devices running Apple iOS or Google Android systems, cybercriminals are embracing a variety of strategies to exploit weaknesses in the ecosystems surrounding each of those platforms. According to the report, specific attack vectors being exploited more frequently include:
App Stores: Cybercriminals are making available free tools or variants of popular, legitimate applications to distribute malware. Malware authors are able to decompile legitimate applications and add code to perform malicious actions alongside the normal functionality. The recompiled apps are often indistinguishable from the originals to the average end user. While Apple requires developers to register to submit their applications, the report notes, the open source nature of Android is far less restrictive in terms of who can develop applications that are featured in the Google Play store. Nevertheless, cybercriminals have been able to compromise both app stores to distribute malware.
Phishing-enabled Distribution: Cybercriminals trick users into installing malicious applications by sending links via SMS messages or email to Android Package (APK) files hosted on websites controlled by the cybercriminal.
Compromised Websites: Mobile applications are injected with malware on a legitimate website hosting the application which has been compromised.
Compromised Operating System Images: Trojans can be added to custom operating system (OS) images on platforms that allow device manufacturers to load their own OS version images at the point of distribution.
Compromised Source Code: Legitimate applications can be compromised without the knowledge of the original developer by inserting malicious code.
Software Exploits: Cybercriminals may develop or procure remote exploits for software installed on target devices, and then use them to install their payloads without any user interaction required.
Loss of Physical Control: Cybercriminals and nation-states are now installing malware by physically removing devices from end users during, for example, a cross-border check.
Adam Meyers, vice president of intelligence for CrowdStrike, said the primary mobile security challenge organizations face is the tools at their disposal typically are not as capable as the tools employed to secure desktop computing environments. Detection methodologies such as antivirus monitoring are more hampered mainly because access to operating system internals on mobile computing devices is extremely limited. Most security vendors created tools that attempt to prevent access to malicious web content via hooks provided by the operating system. However, these tools will fail to detect things such as malware installed using remote exploits, for example. Increased adoption of filesystem encryption on mobile devices is also making post-exploitation forensic analysis more challenging. As a result, mobile devices infected with malware are likely to remain undetected for longer periods.
To address that issue, CrowdStrike is making a case for an endpoint detection and remediation service that leverages machine learning algorithms to identify compromised endpoints.
Whatever the path chosen to secure mobile computing devices, malware in the form of remote access tools and banking trojans that steal credentials are becoming a much bigger problem. For example, most organizations don’t have a lot of visibility into the supply chain used in building the mobile applications they rely on, noted Meyers. That makes it easier for cybercriminals to compromise those applications long before they ever find their way on to a mobile computing device.
To combat these threats, Meyers said organizations need to focus more on the strategies being employed by their adversaries versus trying to combat every specific type of malware. The goal should be to reduce the number of devices that might be infected by limiting the attack vectors that can be exploited, he said.
It may never be possible to eliminate every attack vector being exploited by cybercriminals. Focusing on those vectors, however, will reduce substantially the number of incidents any cybersecurity team will need to investigate and remediate. That alone should help relieve a lot of the stress already reaching critical levels among chronically understaffed cybersecurity teams.