Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Exploitation, Phishing Top Worries for Mobile Users

Reports find that mobile malware appears on the decline, but the exploitation of vulnerabilities along with phishing has led to a rise in compromises, experts say.

RSA Conference — San Francisco — Mobile malware appears to be declining as a favored tactic of cybercriminals, but the mobile ecosystem is far from risk-free as phishing and vulnerability exploitation become more significant threats, security experts said this week at the RSA Conference.

In 2019, the worldwide mobile ecosystem continued to expand, growing by 8.9 million new apps, or 18%, while at the same time the number of malicious apps declined, especially on premium app stores, such as Apple and Google, according to the "2019 Mobile App Threat Landscape Report," published by RiskIQ. At the same time, companies saw mobile- and Internet of Things-related compromises grow, with 39% of firms suffering such a security incident, up from 33% in 2018, according to Verizon's "Mobile Security Index 2020."

The current threat landscape is best exemplified by the vulnerabilities in the WhatsApp chat application last year, says Michael Covington, vice president of product at Wandera, a provider of mobile cloud security. In April and May, nation-state attackers used serious vulnerabilities, including a remote exploit for a vulnerability in the video player on WhatsApp, to compromise targeted users.

"These are apps that have already gone through the app store vetting process, and they are installed on the device," Convington says. "And when a vulnerability comes out, many companies cannot do anything, because they have no visibility into what apps are on their employees' devices."

The two trends — less mobile malware, but more mobile-related compromises — highlight that attackers are finding ways to compromise devices that do not rely on convincing a user to download malicious software.

The impact of the attackers' tactics is significant. In 2019, two-thirds of companies suffering a breach from mobile malware considered the impact significant, while more than a third also considered the effects of the breach to be lasting, according to Verizon's report. The majority of companies suffered downtime or loss of data in a breach, but many also found that other devices were compromised following a mobile breach and they had to deal with reputational damage and regulatory fines.

"When most people think of cybersecurity compromises, it’s the loss or exposure of data that springs to mind," Verizon stated in its report. "But it's much more than a company’s sensitive information that's at risk. A mobile security compromise can have a range of other consequences, including downtime, supply chain delays, lost business, damage to reputation, and regulatory fines.

The major mobile app stores have forced attackers to change, with the brand-name stores seeing fewer malicious apps submitted to their vetting process, according to threat intelligence firm RiskIQ's report. The number of blacklisted mobile apps fell by 20% overall in 2019, while the Google Play store blacklisted fewer than a quarter of the apps it blacklisted in 2018, the company found. Rather than an indication that app stores are easing up on security, RiskIQ argues that the ecosystem is doing a better job of weeding out malware developers from publishing apps to the store.

In addition, malicious apps in apps stores often remain easy to spot, says Jordan Herman, a threat researcher at RiskIQ.

"One potential giveaway is excessive permissions, where an app requests permissions that go beyond those required for its stated functionality," he says. "Another is a suspicious developer name, especially if it does not match the developer name associated with other apps from the same organization. User reviews and number of downloads, where present, also help to give some level of reassurance that the app is legitimate."

Because of the shift in attackers' tactics, companies need to worry about more than just mobile malware. In August, Google revealed that at least five exploit chains for iOS — attacks strung together to gain access to a device — were found on websites in the wild. The attacks could compromise many versions of iPhone and iPads.

"[S]imply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Ian Beer, a researcher with Google's Project Zero, stated in an analysis of the attacks. "We estimate that these sites receive thousands of visitors per week."

In many cases, even the legitimate functionality of legitimate apps can pose a risk for their business, says Wandera's Covington.

"It is not just malware that defines a malicious app for them," he says. "Other behavior is considered risk for many companies. Manufacturing firms don't want apps that can use the camera, for example."

Companies should learn to improve their security before they get breached. In 2019, 43% of companies that had a compromise ended up spending more on security. Only 15% of companies that did not suffer a breach spent more on protection, according to Verizon's "Mobile Security Index" report.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Prevent an AWS Cloud Bucket Data Leak."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
JamesInky
50%
50%
JamesInky,
User Rank: Apprentice
3/5/2020 | 10:24:33 AM
Re: Before it happens
The problem is with so many ways for every employee to be interacting with their work email the average phishing security doesn't extend to mobile without the need for everyone to adopt some plugin or app. Which is just unreasonable. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:28:05 AM
Re: Before it happens
Definitely good advice but will it be headed. I always bring up the adage that unfortunately many of us don't learn until we are burnt by the stove. Instead of a smart person learns from their own mistakes but a brilliant person learns from others. 

Too often we operate under the assessment that this wont happen to me and due to that we don't protect ourselves as we should until its too late.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:26:30 AM
Re: Loss
Good point! As you put it, outside of the low and slow attempts there are the more obvious destructive brick devices methodology that also has a direct cost associated with it.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:25:00 AM
Re: Mobile
Yes with the Internet of Things. The inundation of the mobile footprint has become all too apparent. Phones, Tablets, Watches. So many devices now on the grid per person just amplifies the exposure footprint.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:23:39 AM
Re: Business Perspective
Most definitely. It's surprising how often I have to anticipate, "Wait did they open the email on their phone or from their workstation? And if I detonate the malware in a sandbox is it sophisticated enough to target a mobile user."
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
2/29/2020 | 11:22:11 AM
Re: WhatsApp
I have to read more into that infiltration. I use WhatsApp all the time for convenience and some of its other more advanced functionalities. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:42:23 PM
Before it happens
Companies should learn to improve their security before they get breached This is a good advice. Cost of breach is always higher than cost of security environment for sure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:40:23 PM
Loss
A mobile security compromise can have a range of other consequences, including downtime, supply chain delays, lost business, damage to reputation, and regulatory fines. This is well-put. In addition to loss of data and reputation, getting back to business may take time and there is additional revenue loss.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:38:16 PM
Mobile
The two trends less mobile malware, but more mobile-related compromises highlight that attackers are finding ways to compromise devices that do not rely on convincing a user to download malicious software. It may be because more people use mobile than desktop. Even if less mobile malware it is still big impact.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/28/2020 | 3:36:24 PM
Re: Business Perspective
many businesses phishing security precautions are sometimes not leveraged at the mobile level That is true, we sometime think our smart phones are more secure they tend to have vulnerabilities as well.
Page 1 / 2   >   >>
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11565
PUBLISHED: 2020-04-06
An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa.
CVE-2020-11558
PUBLISHED: 2020-04-05
An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by MP4Box. audio_sample_entry_Read in isomedia/box_code_base.c does not properly decide when to make gf_isom_box_del calls. This leads to various use-after-free outcomes involving mdia_Read, gf_isom_delete_movie, and gf_isom_parse_m...
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.