Mobile devices have become more ingrained in daily working patterns. We’ve all picked up IMs on our phones, taken Zoom calls, and maybe looked at a customer record on a nearby device. In a typical organization today, 60% of devices containing or accessing enterprise data are mobile. So it’s essential organizations get up to speed on mobile security to defend against threats like mobile malware and better protect data.

Threats are becoming more sophisticated and apparent on pretty much every platform, even mainstream applications can become a threat without the right maintenance. We only need to look at the WhatsApp vulnerability. To manage these threats, organizations must better understand how all applications interact with your environment and their potential risk.

The larger issue at hand is the misconceptions of mobile security like ‘UEM is enough to protect mobile devices’, ‘mobile OSs are completely secure’, and ‘the official app stores are free from risk’. But mobile is just another endpoint that can be exploited. As mobile devices interact with corporate environments more and more, it is inevitable that they are going to be involved with security breaches.

Our Cloud Security Report 2020 highlights some of the noteworthy security issues we saw in 2020:

  • 52% of organizations experienced a malware incident on a remote device, up from 37% in 2019
  • Android devices were 5.3x more likely to have a vulnerable app, and one which may be infected with malware, installed than iOS devices
  • Companies with at least one device compromised by malware are 4.4x to be impacted by a password leak than other companies

Why is mobile malware a threat to businesses?

Managing regulatory compliance is a must for every business and making sure that every form factor is properly protected will mitigate the risk of non-compliance. End users need to be aware of acceptable usage as well as the security risks associated with mobile devices.

End users won’t be as savvy when it comes to security threats and there is only a certain amount that security awareness training will do. Organizations can expect end users to be the first line of defense, but not the sole line.

Mobile devices aren’t laptops, and user behavior is different. We’re inundated with notifications, often moving about or multi-tasking while using a mobile, this distracted state can make end users more susceptible to attacks.

End users can be blasé about app permissions and rarely read through what access is being granted. Security researchers in Norway found a vulnerability known as ‘Strandhogg’ that can exploit the permission pop-up windows on Android. Although permissions are meant to be a safety feature, they were able to intercept your phone’s SMS messages, camera or contacts once it receives approval.

Security risks are exacerbated by the remote working environment. In a study by High-Tech Bridge Security Research, 92% of FT 500 companies said they were worried their growing mobile workforce is a catalyst for increasing the risk of security issues. This is also compounded by the fact that many businesses have had to enable Bring Your Own Device (BYOD) programs just to get operational.

BYOD presents an additional security challenge for businesses, not just in terms of malware. The administrative limitations make it difficult to ensure that a personal device meets the baseline security requirements before provisioning access to a corporate environment. It’s difficult to ensure that users haven’t installed a risky or malicious application, hence the reason why many businesses are turning to Zero Trust Network Access (ZTNA) to perform endpoint diagnostics and make sure that a device is healthy before granting access.

Users are also more likely to access inappropriate content which could infect their personal devices with mobile malware – we found during the pandemic last year that access to gambling and adult content was up 100%.

What is the most common goal for mobile malware?

Cybercriminals have a few mobile malware techniques in their arsenal when developing malicious apps. For malware to work, it must evade the controls built into mobile OSs, for instance, ones for store curation and native application hardening, which is a technical process that implements security measures to protect apps against reverse-engineering or tampering.

Mobile malware takes different forms depending on the capabilities and motivations of the hackers. Some have objectives to gain persistent control over a device. Others may seek to hold data ransom or cause an interruption in productivity.

 

Mobile Malware users risky app adoption
This graph shows the notable increase of up to 100% in connections to inappropriate content during office hours.
Mobile malware site gambling adult content usage graph
This graph shows that connections to adult and gambling sites are growing at an equal rate and staying roughly constant.

How has mobile malware evolved in 2021?

‘Mal-innovation’, a term coined in Verizon’s report, defines how attackers’ capabilities have advanced to exploit vulnerabilities and monetize attacks. And this is true, cybercriminals are becoming far more sophisticated. In a recent attack, a hacker infiltrated a large, global corporation’s Mobile Device Management (MDM) system and proceeded to distribute malware to over 75% of managed mobile devices.

Official app stores aren’t as safe as they’re made out to be, you only have to search for ‘malicious apps’ on Google. Malware developers are now producing apps written in the OS’s native code making it harder for Google and Apple to detect malicious behavior. These advancements have enabled hackers to bypass controls and host malicious apps on the App and Play stores.

Third-party apps, can surpass the thorough vetting processes of the App and Play stores and, more often than not, are malicious and infected with malware. A recent example is a HiddenAds malware which was disguised in 21 popular games on the Play store, the cybercriminals even went as far as advertising the games on social media. As a result, the infected gaming apps were downloaded around 8 million times.

Learn more about third-party apps here.

Malware as a service

Malware as a service is the criminal version of SaaS. Bad actors no longer need to be technically savvy and can purchase subscription-based ‘create your own malware’ kits online. Agent Tesla, a Malware as a Service provider, is promoted and sold just like a legitimate service and attackers can subscribe to one of the many tiers ranging from as little as $14 a month, customers can also gain 24/7 support from the malware as a service.

Malware as a service has been widely adopted by organized cybercriminals to execute a larger scale of attacks and is a lucrative business to be involved in. The prolific 7-year old Trojan, Agent Tesla, can steal credentials from workplace tools like Google Chrome, Firefox, and Outlook, and also spy on victims. Since its initial launch in 2014, developers have advanced the kit’s capabilities and they can now extract Wi-Fi profiles too.

Malicious apps infected with mobile malware in 2021 so far

Here are some instances of mobile malware identified in 2021:

  • Barcode Scanner: adware infected 10 million Android users in March 2021. Users of the app received an influx of ads hijacking their devices. What’s strange about the outbreak is that none of the users recently installed the app, so the malware is likely to have been inherited from an ad SDK. Google Play was quick to remove this app from the store, however, it could still be on millions of devices.
  • AndroidOS/MalLocker.B: Microsoft detected a sophisticated new ransomware app – AndroidOS/MalLocker.B, which was circulated on online forums. The bad actors responsible masqueraded the malware as popular apps, cracked games or video players. Once installed, the ransomware blocks access to devices by displaying alternate screens and instructions to pay a ransom.
  • Uyghur Community Hack: Through initial social engineering efforts, cybercriminal group ‘Evil Eye’ targeted over 500 people from the Uyghur community globally on Facebook. In the Uyghur community groups, hackers would share fake prayer apps and Uyghur community keyboards. Once downloaded, the fake apps infected devices using two strains of Android trojan malware: ActionSpy and PluginPhantom. On iOS devices, the hackers leveraged malware known as Insomnia.
  • Crypto wallet Trezor: cybercriminals created a fake crypto wallet app disguised as crypto brand Trezor. Trezor doesn’t have an app, or any documentation online stating they don’t have one. Hackers leveraged this by making a malicious app to lure unsuspecting users. Users who fell victim to this attack entered their credentials and had their cryptocurrency stolen, one victim reportedly lost $660,000 in this attack.
  • Clubhouse app: a fake malicious version of the invite-only audio app appeared in March 2021. The real app can only be downloaded when members share a link to join a conversation. Hackers took advantage of the white space during March 2021, creating malicious apps posing as the genuine Clubhouse app. When users launch the fake Trojan app, the malware creates a data stealing overlay of the app and requests the user to login and users hand over credentials to cybercriminals. The trojan – nicknamed “BlackRock” can steal victims’ login data for no fewer than 458 online services. The malware was also able to intercept SMS messages for 2FA attacks and take control of the user’s device.

How to protect your users from mobile malware

To protect users from mobile malware, you need to ensure you have a Mobile Threat Defense solution capable of protecting against on device and in network threats. Understanding the health of a device is critical, and a core principle of ZTNA, making sure that only health devices are granted access to corporate services.

Learn more about Wandera’s Security Suite here.