We’ve had our finger on the mobile security pulse for some time now but it seems mobile threats are gaining more “mainstream” attention than ever before. Malicious apps are finding their way onto official app stores; cleverly disguised phishing attacks are targeting the world’s biggest brands; leaking apps and sites are painting the internet with your PII; that’s just to name a few things that are keeping CISOs up at night. As mobile becomes more powerful and more ingrained in business, the security risks stack up in step.

It would be nice to end the year on a positive note but sadly we don’t expect the assault on mobile to slow down. Leading analysts are now urging businesses to invest in Mobile Threat Defense (MTD) stating “mobile threats can no longer be ignored”. According to PhishLabs research, 49% of phishing sites now sport the green padlock, and according to Gartner’s Market Guide to Mobile Threat Defense, 42 million mobile malware attacks take place each year.
In 2019, we expect mobile threats to increase in sophistication, broaden in distribution and delegitimize common detection techniques. Here are the risks and evolving threats that we believe will dominate the mobile agenda in 2019.

1. Malicious sites will increasingly use SSL certificates to look legitimate

Seeing a padlock in the URL bar used to be a reliable safety check but because the vast majority of websites now use encryption, hackers are also “securing” their sites to lure victims into a false sense of security. These days, there is no real barrier to entry for getting an SSL certificate, which means it’s incredibly simple for hackers to obtain them while keeping their tracks covered. For example, certificate issuers like LetsEncrypt offer SSL certificates for free so no payment information or genuine PII needs to exchange hands.

2. The Wi-Fi attack vector isn’t going away any time soon, despite 5G hype

According to our data, 71% of mobile transactions are over Wi-Fi and 29% over cellular. Will this change with the roll out of 5G? Not significantly. Despite rumors to the contrary, 5G is not going to “kill” Wi-Fi and the technologies will continue to coexist. 5G is expected to provide high-speed connectivity for users while they are outdoors; once inside, however, 5G will handoff to wireless routers, which have better coverage inside building walls. As 5G becomes more pervasive, we expect to see fewer encounters with rogue hotspots as it will trump public Wi-Fi as the primary means for mobile users to access high bandwidth connectivity while on the go.

3. Mobile Spear phishing campaigns will form the cornerstone for targeted attacks on organizations

Phishing used to be more of a ‘spray and pray’ exercise with hackers sending email blasts containing generic links to phishing pages or dropping USB thumb drives around the parking lots of corporate offices they wanted to target in the hope that they might catch one victim. Today, the art of phishing is becoming more personal. Thanks to the public nature of social media profiles and exceedingly greedy app permissions, attackers can discover a treasure trove of information about their individual victims, allowing them to orchestrate a highly personalized, believable attack that can be delivered straight to their mobile devices via a messaging or social media app. Common email phishing protection doesn’t extend to these channels of communication leaving your employees exposed to the most prolific mobile threat today. Google and Apple will continue to bolster the security of their platforms making the human factor the primary exploitable weakness.

4. Cryptojacking will be decoupled from the price of cryptocurrency

Cryptojacking burst onto the scene late 2017 when Bitcoin was booming and people figured out mining for cryptocurrency was more effective when secretly borrowing the computing power of multiple machines. Traditional uses of cryptomining are tied to the price of cryptocurrency and so the likelihood of their use goes to zero if the currency does. Now that the value of cryptocurrency has dropped, cryptojacking may evolve to target more profitable platforms like DDoS servers and IoT devices and destabilizing blockchains to influence trading.

5. Mobile will be the biggest GDPR weakness

The General Data Protection Regulation (GDPR), which came into effect this year was one of the most significant changes to data legislation yet. Mobile presents a unique challenge to GDPR compliance for a number of reasons. Mobile is arguably the biggest driver of third-party data collection. Everywhere you go, everything you search for, everything you enter into a web form is collected by your device and used to make your online experience more personalized and simple. However, 2018 saw companies like Facebook and Google come under fire for their handling of user data. This struggle between convenience and privacy will continue to heat up as we enter 2019 and the world’s data giants will be forced to justify their use of collected consumer data. Likewise, organizations will need to get a better handle on where and how their corporate and client data is being used, which is further complicated by the black box of unmonitored mobile working. Security breaches will be heavily scrutinized as the world waits for the first big GDPR fine to be issued.

We don’t have a crystal ball but we have MI:RIAM

We (and the entire security industry) can do our best to analyze trends from our own sources and external sources to come up with a hot list of things to worry about in 2019, but the reality is, today’s cybersecurity environment is very unpredictable. For that reason, we are focused on training our machine intelligence engine, MI:RIAM, to help us identify emerging threats before they hit our enterprise customers. MI:RIAM might not tell us right now whether our smart home systems are going to turn our smart toasters into killer robots in 10 years but we’re working on it.
[text-blocks id=”security-systems-guide”]