Five new threats to your mobile device security

More than 99 per cent of new mobile malware is designed to target Android: report

Attacks that proved successful on PCs are now being tested on unwitting mobile device users to see what works -- and with the number of mobile devices with poor protection soaring, there are plenty of easy targets.  "Attackers are definitely searching after the weakest point in the chain," and then honing in on the most successful scams, says Lior Kohavi, CTO at CYREN, a cloud-based security solutions provider in McLean, Va.

[Slideshow: 15 new, hot security and privacy apps for Android and iOS]

Google's Android operating system averaged 5768 malware attacks daily over a six-month period, according to CYREN's Security Report for 2013. Today more than 99 per cent of new mobile malware is designed to target Android, according to a Q1 2014 Mobile Threat Report by security firm F-Secure Corp. based in Finland. But that doesn't mean iOS for Apple iPhone or iPads are immune. The number of documented vulnerabilities for iOS Apple iPhone and iPads increased 82 percent in 2013, according to a Symantec report, though it adds that doesn't necessarily lead to malware that exploits those vulnerabilities.

BYOD programs entice hackers even more, with the holy grail now being to infiltrate a company's perimeter through mobile devices, either through social engineering scams that get access to company data through a mobile device, or just by sitting across the street and attacking the company's WiFi through an infected mobile phone. Small and midsize businesses face higher risks because they're often not able to keep up with BYOD policies, and threats can change every three to six months.

With all of that in mind, here are five new threats to your mobile device security:

1. Mobile phishing and ransomware

Just like the PC scams, bad guys are using social engineering through mobile apps and SMS text messages, which take advantage of human behavior and trust to gain access to data or infiltrate businesses, to make people click on links. Malware then ends up on the user's PC.

[7 enterprise mobile security best practices]

"If they can make you believe a message is from a trusted source, chances are you will click," says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla. "This trick has been used with email, instant messaging, social networks, and [now] they are even spoofing SMS text messages." Even email messages, when opened on a mobile device, can infect laptops and enterprise systems. Sjouwerman advises mobile users to check for red flags. "If you click on an email message from a mobile app without checking for anything suspicious, you might download malware and infect your PC, so think before you click!"

Sjouwerman also sees an increase in ransomware via mobile devices that run Google's Android OS. In this case, the mobile user opens an infected attachment, which locks all files until the user pays $500.

"It's been around for PCs for a while, and it's now out there in the wild for Android phones, as well," he says. The most common source of the infection, he adds, is from manually downloading software that claims to be a video player from a website other than the Google Play App Store.

2. Using an infected mobile device to infiltrate nearby devices

When working inside a company to identify vulnerabilities, pentester and mobile security expert Georgia Weidman recently asked herself from a hacker's perspective, "wouldn't it be nice if we could just walk into the network with a compromised phone and have direct network access" by way of a client side attack or social engineering.  She concluded that in many cases you can.

"An infected mobile device allows you to breach an organization's perimeter and directly attack the devices on the network instead of having to break in some other way, you've already got direct network access," Weidman says.

[Slideshow: 7 security mistakes people make with their mobile device]

Consider a simple scenario.  An Android device has been infected with the Smartphone-Pentest-Framework, or SPF Agent. The unsuspecting user thinks it's an official news app, for instance, and thinks nothing of it, but it is also communicating with an SPF console that's giving thieves access to mobile device data.  That device is sharing WiFi with the laptop sitting nearby, and the thief is also able to breach the laptop, which contains company information or access to corporate systems.

"If I have control of their mobile devices, I can go the traditional route like stealing their contacts or sending text messages to a premium number, but also if the device is connected to a WiFi network I can attack additional systems on that network from the infected phone," she explains. "Whether I'm connected to my home WiFi, work WiFi or Starbucks WiFi, if there are any devices with vulnerabilities on that network, I can potentially exploit them directly from the infected mobile device."

3. Cross-platform banking attacks

Gangs are also using malware on PCs to infiltrate mobile phones in hybrid attacks on user's banking accounts, according to John Shier, security advisor at Sophos.  A piece of malware dropped on the user's laptop can detect when the user is surfing his banking website. Dubbed a "man in the browser" attack -- the spying is all done in browser memory "so they can intercept your banking credentials before they get encrypted and sent across the wire," he explains.  Adding to the scam, thieves put up a warning message, such as "for increased security, download this app," and they ask for the user's phone number and email address to send an SMS to their phone or to download a link.

[Five myths about mobile security and their realities]

"You click on the SMS and download the app, and they basically own your desktop and your phone," he says.

4. Cryptocurrency mining attacks

Wondering why your mobile device is losing battery power too quickly or why it feels overheated? You might have cryptocurrency mining malware on your device. The malware infiltrates mobile devices in search of digital currencies, like Bitcoin, Litecoin and Dogecoin.

Found mostly in Android devices, the apps were injected in many cases with the CPU mining code from a legitimate Android cryptocurrency mining app. The miner is started as a background service once it detects that the affected device is connected to the internet.  By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous digital currency mining pool.

"The reality is that the capabilities on the phone aren't as great as they are in a big server or mainframe attacks," says Kohavi. "But it's a trial and error for these organized criminals to be able to put their foot into an area and then leverage that and see what they can get out of it."

5. The enemy is us

Despite the 24/7 reliance on mobile devices by most consumers, they don't appear to be getting any smarter about security, researchers say. In 2012, 44 percent of adults were unaware that security solutions existed for mobile devices, according to Symantec's Threat Report. That number rose to 57 percent in a 2013 Threat Report, released in April 2014.  A lack of education among mobile users is partly to blame, according to report.  Also, people who had feature phones with limited security requirements became smartphone users and weren't aware of the need to install a security app.

Looking ahead, experts agree that mobile device malware and scams will only increase as users pack their mobile phones with more rich and sensitive data -- and the implications will be even greater for businesses that hire young workers.

[5 ways to prevent data loss in mobile environments

"Gen Y is a very social and sharing culture," says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta. With a new generation of workforce emerging, "it's going to be interesting to see how they handle [their sensitive information].  There's so much information already out there -- you just can't go get it back."

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilitiesapplicationsmobile phishingmobile ransomwareinfected devicesExploits / vulnerabilitiesApplesymantecGooglesecuritybanking attackscryptocurrency miningf-securemobile threatssoftwaredata protection

More about 24/7AppleF-SecureGoogleSophosStarbucksSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place