RSA Conference — San Francisco — Mobile malware appears to be declining as a favored tactic of cybercriminals, but the mobile ecosystem is far from risk-free as phishing and vulnerability exploitation become more significant threats, security experts said this week at the RSA Conference.
In 2019, the worldwide mobile ecosystem continued to expand, growing by 8.9 million new apps, or 18%, while at the same time the number of malicious apps declined, especially on premium app stores, such as Apple and Google, according to the "2019 Mobile App Threat Landscape Report," published by RiskIQ. At the same time, companies saw mobile- and Internet of Things-related compromises grow, with 39% of firms suffering such a security incident, up from 33% in 2018, according to Verizon's "Mobile Security Index 2020."
The current threat landscape is best exemplified by the vulnerabilities in the WhatsApp chat application last year, says Michael Covington, vice president of product at Wandera, a provider of mobile cloud security. In April and May, nation-state attackers used serious vulnerabilities, including a remote exploit for a vulnerability in the video player on WhatsApp, to compromise targeted users.
"These are apps that have already gone through the app store vetting process, and they are installed on the device," Convington says. "And when a vulnerability comes out, many companies cannot do anything, because they have no visibility into what apps are on their employees' devices."
The two trends — less mobile malware, but more mobile-related compromises — highlight that attackers are finding ways to compromise devices that do not rely on convincing a user to download malicious software.
The impact of the attackers' tactics is significant. In 2019, two-thirds of companies suffering a breach from mobile malware considered the impact significant, while more than a third also considered the effects of the breach to be lasting, according to Verizon's report. The majority of companies suffered downtime or loss of data in a breach, but many also found that other devices were compromised following a mobile breach and they had to deal with reputational damage and regulatory fines.
"When most people think of cybersecurity compromises, it’s the loss or exposure of data that springs to mind," Verizon stated in its report. "But it's much more than a company’s sensitive information that's at risk. A mobile security compromise can have a range of other consequences, including downtime, supply chain delays, lost business, damage to reputation, and regulatory fines.
The major mobile app stores have forced attackers to change, with the brand-name stores seeing fewer malicious apps submitted to their vetting process, according to threat intelligence firm RiskIQ's report. The number of blacklisted mobile apps fell by 20% overall in 2019, while the Google Play store blacklisted fewer than a quarter of the apps it blacklisted in 2018, the company found. Rather than an indication that app stores are easing up on security, RiskIQ argues that the ecosystem is doing a better job of weeding out malware developers from publishing apps to the store.
In addition, malicious apps in apps stores often remain easy to spot, says Jordan Herman, a threat researcher at RiskIQ.
"One potential giveaway is excessive permissions, where an app requests permissions that go beyond those required for its stated functionality," he says. "Another is a suspicious developer name, especially if it does not match the developer name associated with other apps from the same organization. User reviews and number of downloads, where present, also help to give some level of reassurance that the app is legitimate."
Because of the shift in attackers' tactics, companies need to worry about more than just mobile malware. In August, Google revealed that at least five exploit chains for iOS — attacks strung together to gain access to a device — were found on websites in the wild. The attacks could compromise many versions of iPhone and iPads.
"[S]imply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant," Ian Beer, a researcher with Google's Project Zero, stated in an analysis of the attacks. "We estimate that these sites receive thousands of visitors per week."
In many cases, even the legitimate functionality of legitimate apps can pose a risk for their business, says Wandera's Covington.
"It is not just malware that defines a malicious app for them," he says. "Other behavior is considered risk for many companies. Manufacturing firms don't want apps that can use the camera, for example."
Companies should learn to improve their security before they get breached. In 2019, 43% of companies that had a compromise ended up spending more on security. Only 15% of companies that did not suffer a breach spent more on protection, according to Verizon's "Mobile Security Index" report.