The mobile threat landscape is an interesting topic, partly because it’s so controversial. Talking to different people within the field can bring up wildly differing opinions over the severity of the situation. Fear-mongers will tell you that every device you own has already been compromised, others will say the world is a very secure place. In reality, we are probably somewhere in the middle.

At our Level conference in May, our very own Dr. Michael Covington gave his thoughts on the mobile threat landscape and where he sees it going.

Identifying a Mobile Threat

Not all threats are going to look the same. It is not a simple case of telling your employees what they can and can’t download. There are a lot of different threat vectors for mobile, you need to be aware of, and small things can be big threats. You need to understand the posture of your mobile estate, and tend to it regularly.
Mobile risk refers to more than just malware, things like jailbroken devices and infrastructure issues. Where hackers can look at the data going in and out of a device. With all these threat vectors to take into consideration, where do you start with identifying each one?

Understanding the threat

Most malware out there is made for Windows, so what if you get some windows malware on your android phone? Is this a threat? Well, probably not, you probably can let you user continue using their device and being productive. This is why it is really important to understand and put into perspective what a threat is, not just in general, but what it is to that user, to that device, and to your organization.
Being able to understand where you are exposed before you are exploited is a good way to get your estate under control before the bad guys get to it. Knowing things like the vulnerabilities which are built into the device, or how many of your devices are running an out of date operating systems are all tools for managing risk.

Block them before they stop you

Michael talks about threats in terms of risk because a risk is something that can be managed. Starting with risky content, things you know are bad before users even get there. Some of our customers use our content filtering services to block access to gambling sites or adult content. In these cases, they have identified content that not only violates the company’s acceptable usage policy but has also been found to be more likely to conceal viruses.
Now you can identify risk and preemptively prevent someone from getting sucked in before something bad happens. For phishing attacks, if you can stop the user getting to a site which is hosting an attack, it is a great way to get ahead of the threat.

Mobile Threat.

Inside jobs

We’re all downloading apps and using websites that are built for mobile and many of them are built very quickly. Developers are more interested in time to market than in developing a secure development lifecycle for the apps, and therefore are not always going through security reviews. We have highlighted over 1000 apps are not protecting sensitive information.
Sometimes the app in question is built in-house and is found to leak IP and other customer information. Other times the usernames and passwords are collected and repeated for use on other websites. These can easily be prevented as it wasn’t an outside attack trying to throw off the device, the attacker accessed the intellectual property directly.

All hands on deck

So when you start looking at the threats, it looks like a thermometer, threats or risks come in degrees, you start to see how you can get ahead of some things, how you can get others under control with monitoring. And when you do get a threat, that big command, and control traffic that’s when you need all hands on deck. But that is 1 instance out of 100 where you are going to need everybody on board. Everything else you can manage day in and day out.

Our data

  • 10% of corporate mobile devices are accessing what we class as risky content on a daily basis
  • 25% of corporate mobile devices on not just outdated, but severely outdated operating systems
  • 50% of our customers are visiting apps and websites that are leaking passwords
  • 10% of the security incidence that we saw last year were true threats – by that we mean malicious code found on devices, command and control traffic that was exfiltrating sensitive IP from these devices

Hiding in plain sight

XcodeGhost made us question where does the trust begin? Several thousand apps ended up containing the malicious code which originated from a hacker adding the code to a compiler widely used by developers to develop their apps.
We still see this today, a year on from the industry bringing down the apps infected and the command and control services. Not only are devices running out of date operating systems but now they have out of date apps that could be resurrected at any point. Who knows what else could be hidden in them.
Mobile threat.

It’s not always what it looks like

One calculator on the play store looked and worked like a calculator, but in the background, it was going out to websites and downloading lots of different things. As well as performance issues we don’t know what data was taken from this attack. A free music player was asking for microphone and camera access, it was gathering information including media information it managed to record and uploaded it to a command and control services.

Part of this is education, part of this is visibility. If you constantly monitor devices you know what apps are in use, and which devices are at risk.

We have to be open to completely new vectors for attack. People expect text messaging to be free of phishing, and free of malware because it started that way. Not anymore, we see very targeted attacks coming through texts. Downloading apps from an official app store also does not guarantee protection. The infrastructure is now being compromised, not everything is a man in the middle attack but we are seeing more attacks where the bad guys set up free access points, wait for you to connect and then take your data in the process.

Download our malware report here

Attacks have layers

Let’s not forget, attackers have a purpose, a plan, they are after money, intellectual property and ruining your reputation. So it is worth remembering that the device which has malware on it today, may or may not be the end objective. It might be part of a broader strategy to get into your organization. And they may not be after mobile, attackers are probably not interested in compromising the iPhone, they are after it as a pivot point into the organization.

It’s important to train your user, they are not trying to be malicious, often, they have just not been trained. Or the UI that is in front of them is designed to make it easy, but it has made it easy for the attacker.

Risks can be managed, get them under control

You need to be looking at what vulnerabilities you have to begin with and know where you are vulnerable before data loss. By identifying risky downloads and educating your staff it is possible to mitigate the chances of threats to begin with. Combine this with dynamic tools which are able to look for patterns – not just a piece of code and give you the visibility to see data leaks and make sure that information doesn’t leave the organization in the first place.
[text-blocks id=”enterprise-mobile-data-report”]