Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


07:02 PM

Catching Mobile Malware In The Corporate Network

As more malicious mobile apps arrive, security firms roll out different methods of detecting the malware inside business networks

To developers, advertising frameworks may just be another way to make money from their free applications, but in at least one case -- dubbed "Vulna" by security firm FireEye -- the library has functionality that allows attackers to steal private data from a targeted phone and opens vulnerabilities that could be exploited by hackers.

The library, which FireEye has declined to name until its developer fixes the problems, underscores the dangers that mobile users and their companies will increasingly face. As smartphones and tablets become an essential part of information workers' tool sets, cybercriminals and digital spies have targeted the mobile devices to gain access to business data. Careful users who download mobile apps from well-vetted app stores are unlikely to encounter malware, but times are quickly changing, and targeted attackers will focus more heavily on mobile devices, says Manish Gupta, senior vice president of products for FireEye.

"Fundamentally, we believe that hackers have no restrictions on what they use for an infection vector -- they use what works, so mobile will be an increasing vector of choice," he says.

While malware has not become as pressing a threat on mobile devices as on personal computers, Vulna is not the only mobile vector that FireEye has found inside business networks. In another case, the company found a mobile application designed to access a device's calendar and turn on the phone's microphone during meetings, Gupta says.

To be ready for the inevitability of mobile malware, companies need to put limitations on their users, says Chet Wisniewski, senior security adviser for software security firm Sophos.

"When you allow those mobile devices to connect in, be very specific about what you are allowing them access to -- don't just throw them on the LAN with all your laptops and desktops," he says. "We have too much of a habit in our LANs to allow devices, once they are in, to access everything."

In addition, businesses should use mobile device management (MDM) software to limit users to only download apps from the major app stores. While the app stores, especially Google Play, have hosted malicious apps, Google, Apple, and others do a good job of taking down any malicious apps once they are found, Wisniewski says.

[Difficult times ahead for app markets as professional malware developers ramp their evasion techniques. See Distributing Malware Through Future App Stores.]

Companies should not stop at mobile device management either, says Patrick Foxhoven, chief technology officer of cloud-security firm Zscaler.

"If you want visibility into what apps are on the devices and what communications are coming from the devices, and you don't want to manage the device, then you need to do security through the network," he says.

Zscaler, which uses its security-proxy approach to detect malicious traffic, allows companies to avoid the sticky questions of trying to manage an employee-owned device and instead allows the business to focus on the part of the infrastructure that belongs to them: the network and the data.

Yet attackers can use encryption to get around such network-based defenses, says FireEye's Gupta. The company's virtual machine allows companies to analyze potentially malicious files and programs to catch malware. Rather than try to catch the attacks on the networks, FireEye -- which announced a new service aimed at mobile devices -- waits for the program to take a suspicious action. Companies need to find the threats, and that requires analyzing the applications that employees are downloading to their devices, he says.

In another malicious mobile app, for example, the user has to reach level 17 in a game before the malicious payload executes, says Gupta.

"You have to play the game," he says. "A static-analysis environment would not detect it, and if you are in dynamic-analysis mode, you would have to get it to execute the entire execution space."

Whichever approach a company decides to take, it should consider the question of mobile malware soon, he argues. While mobile attacks are just starting to take off, attackers will increasingly investigate the possibilities, and companies need to be prepared.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/2/2013 | 2:10:27 PM
re: Catching Mobile Malware In The Corporate Network
The way apps, OEMs, OS are increasing and the way mobile malware, intrusions and vulnerabilities are growing, you need a secure network gate to prevent any intrusions to enter the corporate network else the whole network will be held for ransom. It has been clearly proved that mRATs can easily bypass MDMs and secure containers and attacking corporate networks. A real BYOD specific network behavioral analysis, and a complete BYOD specific vulnerability scan and risk analysis are need of the hour as work moves more and more to BYOD. Considering all, will be great if the solution is done without touching the device.

Manjunath M Gowda, ceo i7 networks (i7nw.com)
User Rank: Apprentice
10/30/2013 | 12:18:26 PM
re: Catching Mobile Malware In The Corporate Network
i want to be a hacker...
Chuck Brooks
Chuck Brooks,
User Rank: Apprentice
10/29/2013 | 12:21:26 AM
re: Catching Mobile Malware In The Corporate Network
As BYOD becomes more prevalent in both the corporate world and government, malware becomes a growing problem in mobility. Detection and patches are really not enough. a hardware/software endpoint mobile solution may be the best avenue to protect devices in the long run.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.