Hacking The Real Mobile Threats

Mobile malware remains a mess, but the actual threat depends on where you live and where you get your apps.

INTEROP -- Las Vegas -- Verizon's new data breach report shows mobile is not a factor in cyberattacks thus far. And last week, a new study from Damballa looking at half of all US mobile traffic found users are 1.3 times more likely to get struck by lightning than to be infected with mobile malware.

Meanwhile, mobile malware families continue emerging -- 61 new ones for Android alone in the second half of 2014, according to F-Secure  -- and popular smartphones are leaking private and possibly sensitive corporate data.

But the bad guys are more likely to target corporate users with good ol' desktop malware. So what gives?

"BYOD in and of itself is a vulnerability," says Eric Green, senior vice president of Mobile Active Defense. "The biggest differences between iOS and Android is fragmentation," with each carrier and device putting its own spin on the Android platform, he says.

US mobile users are generally safer than those in Russia or China, for instance, who typically don't have access to a vetted app store like Apple's or Google Play via their off-market devices and services, experts say.

Chet Wisniewski, senior security advisor at Sophos, says his data syncs with what Verizon saw in its data breach investigations last year. Just .2% of sites he surveyed contained malicious Android malware; Verizon found .3%.

Some 90% of infected mobile devices were in Eastern Europe and China. "All off-market … not from a legitimate site," he says. "If your Android phone is not going off-market, you're safe and not going to get infected. As soon as you go to pirated sites or third party sites, the wheels come off.

Most Chinese and Russian Android markets contain trojanized apps, he says.

Mikko Hypponen, chief research officer at F-Secure, says China is one of the hot spots for Trojan-rigged app sources.

But even Android has had some good news malware-wise recently, despite the arrival of 61 new families of Android malware in the second half of last year, according to F-Secure's latest report.  According to Google, less than 1% of Android devices contained a potentially harmful app last year, and worldwide, the overall rate of these app installations dropped by 50% between the first and third quarters of 2014.

Damballa's Charles Lever, senior scientific researcher, says it's all about putting yourself at risk of infection in the US. Mobile malware is bad news, he says, but it's actually risk "exaggerated" for most users.

Mobile Active Defense's Green, meantime, points to how Apple's platform keeps users better updated with the newest versions of iOS: more than 78% of iOS users are on version 8.x today, he notes. "Less than 1% are on a version below [iOS] 6," he says. "They [Apple] have control of their environment, so it's easier to secure and button down than Android."

Despite the lack of data breaches and other attacks via mobile devices, it's still a mobile malware mess out there, experts say. "I think when it comes to mobile and the mobile threat, I don't think we're all on the same page about what the threat is," Green says. "The mass market is in bad app stores."

[Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security. Read Smartphone Security Shootout.]

There also are a few flaws in iOS and Android that are relatively easy to exploit, he says. Green will demo some easy-to-do mobile attacks in a presentation here on Friday called "Five Mobile Computing Vulnerabilities You Need to Know."

He plans to demo a design flaw that allows an attacker to sideload a Trojanized app onto a mobile device and exploit it within 3 minutes. It's a flaw in the root OS that allows an attacker to easily sideload an app, he says.

But like the desktop, the initial attack vector is typically a phishing email. In one scenario, the user clicks on a link in the phishing message purportedly from IT or an app vendor with an "update" to their software. "It's still the app doing stuff an app does for you, but now I have full mirroring of all the keystrokes on your" device, he says.

Another flaw, he says, has to do with profile files. "A profile on an iOS device gives you access to everything on the device. If you send a simple phishing email" with a malicious link, the attacker can get access to the device as well, says Green, who says his demo was assisted by a partner of his firm.

"There are very real flaws and vulns on these devices today that can be exploited today to get to the crown jewels of an individual or a company today," Green says. "If a moron like me who's non-technical" can do it, anyone can, he says.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights