04 Mar CSO Magazine – “8 mobile security threats”
8 mobile security threats you should take seriously in 2020
Mobile malware? Some mobile security threats are more pressing. Every enterprise should have its eye on these eight issues.
By JR Raphael
Contributing Editor, CSO
Mobile security is at the top of every company’s worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2018 report by the Ponemon Institute. That’s 6.4 percent more than the estimated cost just one year earlier.
While it’s easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate. Malware currently ranks as the least common initial action in data breach incidents, in fact, coming in behind even physical attacks in Verizon’s 2019 Data Breach Investigations Report. That’s thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems.
The more realistic mobile security hazards lie in some easily overlooked areas, all of which are only expected to become more pressing:
It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2019. Remember those almost nonexistent odds of being infected with malware? Well, when it comes to a data breach, companies have a nearly 28% chance of experiencing at least one incident in the next two years, based on Ponemon’s latest research — odds of more than one in four, in other words.
What makes the issue especially vexing is that it often isn’t nefarious by nature; rather, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
“The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users,” says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions — products like Symantec’s Endpoint Protection Mobile, CheckPoint’s SandBlast Mobile, and Zimperium’s zIPS Protection. Such utilities scan apps for “leaky behavior,” Zumerle says, and can automate the blocking of problematic processes.
Of course, even that won’t always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That’s a challenge the healthcare industry is currently struggling to overcome: According to specialist insurance provider Beazley, “accidental disclosure” was the top cause of data breaches reported by healthcare organizations in the third quarter of 2018. That category combined with insider leaks accounted for nearly half of all reported breaches during that time span.
For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
The tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective.
A staggering 91% of cybercrime starts with email, according to a 2018 report by security firm FireEye. The firm refers to such incidents as “malware-less attacks,” since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing, specifically, grew by 65% over the course of 2017, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender’s name — making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
Users are actually three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study — in part because a phone is where people are most likely to first see a message. Verizon’s latest research supports that conclusion and adds that the smaller screen sizes and corresponding limited display of detailed information on smartphones (particularly in notifications, which frequently now include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success.
Beyond that, the prominent placement of action-oriented buttons in mobile email clients and the unfocused, multitasking-oriented manner in which workers tend to use smartphones amplify the effect — and the fact that the majority of web traffic is generally now happening on mobile devices only further encourages attackers to target that front.
It’s not just email anymore, either: As enterprise security firm Wandera noted in its latest mobile threat report, 83% of phishing attacks over the past year took place outside the inbox — in text messages or in apps like Facebook Messenger and WhatsApp along with a variety of games and social media services.
What’s more, while only a single-digit percentage of users actually click on phishing-related links — anywhere from 1% to 5%, depending on the industry, according to Verizon’s most current data — earlier Verizon research indicates those gullible guys and gals tend to be repeat offenders. The company notes that the more times someone has clicked on a phishing campaign link, the more likely they are to do it again in the future. Verizon has previously reported that 15% of users who are successfully phished will be phished at least one more time within the same year.
“We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments,” says John “Lex” Robinson, information security and anti-phishing strategist at PhishMe — a firm that uses real-world simulations to train workers on recognizing and responding to phishing attempts.
Robinson notes that the line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes — connected to a combination of work and personal accounts — together on a smartphone, he notes, and almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn’t seem at all unusual on the surface, even if it may in fact be a ruse.
The stakes only keep climbing higher. Cybercrooks are apparently now even using phishing to try to trick folks into giving up two-factor authentication codes designed to protect accounts from unauthorized access. Turning to hardware-based authentication — either via dedicated physical security keys like Google’s Titan or Yubico’s YubiKeys or via Google’s on-device security key option for Android phones — is widely regarded as the most effective way to increase security and decrease the odds of a phishing-based takeover.
According to a study conducted by Google, New York University, and UC San Diego, even just on-device authentication can prevent 99% of bulk phishing attacks and 90% of targeted attacks, compared to a 96% and 76% effectiveness rate for those same types of attacks with the more phishing-susceptible 2FA codes.
A mobile device is only as secure as the network through which it transmits data. In an era where we’re all constantly connecting to public Wi-Fi networks, that means our info often isn’t as secure as we might assume.
Just how significant of a concern is this? According to research by Wandera, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4% of devices have encountered a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within the most recent month. McAfee, meanwhile, says network spoofing has increased “dramatically” as of late, and yet less than half of people bother to secure their connection while traveling and relying on public networks.
“These days, it’s not difficult to encrypt traffic,” says Kevin Du, a computer science professor at Syracuse University who specializes in smartphone security. “If you don’t have a VPN, you’re leaving a lot of doors on your perimeters open.”
Selecting the right enterprise-class VPN, however, isn’t so easy. As with most security-related considerations, a tradeoff is almost always required. “The delivery of VPNs needs to be smarter with mobile devices, as minimizing the consumption of resources — mainly battery — is paramount,” Gartner’s Zumerle points out. An effective VPN should know to activate only when absolutely necessary, he says, and not when a user is accessing something like a news site or working within an app that’s known to be secure.
Smartphones, tablets and smaller connected devices — commonly known as the Internet of Things (IoT) — pose a new risk to enterprise security in that unlike traditional work devices, they generally don’t come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and with the smaller monthly security patches between them — as well as with IoT devices, many of which aren’t even designed to get updates in the first place.
“Many of them don’t even have a patching mechanism built in, and that’s becoming more and more of a threat these days,” Du says.
Increased likelihood of attack aside, an extensive use of mobile platforms elevates the overall cost of a data breach, according to Ponemon, and an abundance of work-connected IoT products only causes that figure to climb further. The Internet of Things is “an open door,” according to cybersecurity firm Raytheon, which sponsored research showing that 82% of IT professionals predicted that unsecured IoT devices would cause a data breach — likely “catastrophic” — within their organization.
Again, a strong policy goes a long way. There are Android devices that do receive timely and reliable ongoing updates. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.
A relatively new addition to the list of relevant mobile threats, cryptojacking is a type of attack where someone uses a device to mine for cryptocurrency without the owner’s knowledge. If all that sounds like a lot of technical mumbo-jumbo, just know this: The cryptomining process uses your company’s devices for someone else’s gain. It leans heavily on your technology to do it — which means affected phones will probably experience poor battery life and could even suffer from damage due to overheating components.
While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018, according to a Skybox Security analysis, with a 70% increase in prominence during that time compared to the previous half-year period. And mobile-specific cryptojacking attacks absolutely exploded between October and November of 2017, when the number of mobile devices affected saw a 287% surge, according to a Wandera report.
Since then, things have cooled off somewhat, especially in the mobile domain — a move aided largely by the banning of cryptocurrency mining apps from both Apple’s iOS App Store and the Android-associated Google Play Store in June and July, respectively. Still, security firms note that attacks continue to see some level of success via mobile websites (or even just rogue ads on mobile websites) and through apps downloaded from unofficial third-party markets.
Analysts have also noted the possibility of cryptojacking via internet-connected set-top boxes, which some businesses may use for streaming and video casting. According to security firm Rapid7, hackers have found a way to take advantage of an apparent loophole that makes the Android Debug Bridge — a command-line tool intended only for developer use — accessible and ripe for abuse on such products.
For now, there’s no great answer — aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform’s official storefront, where the potential for cryptojacking code is markedly reduced — and realistically, there’s no indication that most companies are under any significant or immediate threat, particularly given the preventative measures being taken across the industry. Still, given the fluctuating activity and rising interest in this area over the past months, it’s something well worth being aware of and keeping an eye on as 2019 progresses.
Poor password hygiene
You’d think we’d be past this point by now, but somehow, users still aren’t securing their accounts properly — and when they’re carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic.
A recent survey by Google and Harris Poll found just over half of Americans, based on the survey’s sample, reuse passwords across multiple accounts. Equally concerning, nearly a third aren’t using 2FA (or don’t know if they’re using it — which might be a little worse). Only a quarter of people are actively using a password manager, which suggests the vast majority of folks probably don’t have particularly strong passwords in most places, since they’re presumably generating and remembering them on their own.
Things only get worse from there: According to a 2018 LastPass analysis, a full half of professionals use the same passwords for both work and personal accounts. And if that isn’t enough, an average employee shares about six passwords with a co-worker over the course of his or her employment, the analysis found.
Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80 percent of hacking-related breaches in businesses. From a mobile device in particular — where workers want to sign in quickly to various apps, sites, and services — think about the risk to your organization’s data if even just one person is sloppily typing in the same password they use for a company account into a prompt on a random retail site, chat app, or message forum. Now combine that risk with the aforementioned risk of Wi-Fi interference, multiple it by the total number of employees in your workplace, and think about the layers of likely exposure points that are rapidly adding up.
Perhaps most vexing of all, most people seem completely oblivious to their oversights in this area. In the Google and Harris Poll survey, 69 percent of respondents gave themselves an “A” or “B” at effectively protecting their online accounts, despite subsequent answers that indicated otherwise. Clearly, you can’t trust a user’s own assessment of the matter.
Physical device breaches
Last but not least is something that seems especially silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn’t have a strong PIN or password and full data encryption.
Consider the following: In a 2016 Ponemon study, 35% of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN, or biometric security guarding their devices — and about two-thirds said they didn’t use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.
Things don’t seem to be getting any better. In its 2019 mobile threat landscape analysis, Wandera found that 43% of companies had at least one smartphone in their roster without any lock screen security. And among users who did set up passwords or PINs on their devices, the firm reports, many opted to use the bare-minimum four-character code when given the opportunity.
The take-home message is simple: Leaving the responsibility in users’ hands isn’t enough. Don’t make assumptions; make policies. You’ll thank yourself later.
Mobile ad fraud
Mobile advertising generates a lot of revenue—about $57.9 billion in the first half of 2019 alone according to an Interactive Advertising Bureau (IAB) report. Cyber criminals follow the money, so it’s no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023.
Ad fraud can take several forms, but the most common is using malware to generate clicks on ads that appear to be coming from a legitimate user using a legitimate app or website. For example, a user might download an app that offers a legitimate service, such as a weather forecast or messaging. In the background, however, that app generates fraudulent clicks on legitimate ads that appear on the app. Publishers are typically paid by the number of ad clicks they generate, so mobile ad fraud steals from companies’ advertising budgets and can deprive publishers of revenue.
The biggest victims are mobile advertisers and ad-supported publishers, but ad fraud does harm to mobile users, too. As with cryptojacking, ad fraud malware runs in the background and can slow a smartphone’s performance, drain its battery, incur higher data charges, or cause overheating. Based on its own tracking data, security vendor Upstream estimates that smartphone users lose millions of dollars each year due to higher data charges from mobile ad malware.
Android is by far the most popular platform for mobile ad fraud.
According to Upstream, these are some of the most popular Android malicious apps to avoid:
Free Messages, Video, Chat, Text for Messenger Plus
Who Unfriended Me
The Upstream report recommends that users:
- Regularly check their apps and delete any that look suspicious.
- Monitor data usage for unusual spikes.
- Install apps only from Google Play.
- Check an app’s reviews, developer details, and list of requested permissions before installing to make sure they all apply to the app’s stated purpose.