Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Hacking The Real Mobile Threats

Mobile malware remains a mess, but the actual threat depends on where you live and where you get your apps.

INTEROP -- Las Vegas -- Verizon's new data breach report shows mobile is not a factor in cyberattacks thus far. And last week, a new study from Damballa looking at half of all US mobile traffic found users are 1.3 times more likely to get struck by lightning than to be infected with mobile malware.

Meanwhile, mobile malware families continue emerging -- 61 new ones for Android alone in the second half of 2014, according to F-Secure  -- and popular smartphones are leaking private and possibly sensitive corporate data.

But the bad guys are more likely to target corporate users with good ol' desktop malware. So what gives?

"BYOD in and of itself is a vulnerability," says Eric Green, senior vice president of Mobile Active Defense. "The biggest differences between iOS and Android is fragmentation," with each carrier and device putting its own spin on the Android platform, he says.

US mobile users are generally safer than those in Russia or China, for instance, who typically don't have access to a vetted app store like Apple's or Google Play via their off-market devices and services, experts say.

Chet Wisniewski, senior security advisor at Sophos, says his data syncs with what Verizon saw in its data breach investigations last year. Just .2% of sites he surveyed contained malicious Android malware; Verizon found .3%.

Some 90% of infected mobile devices were in Eastern Europe and China. "All off-market … not from a legitimate site," he says. "If your Android phone is not going off-market, you're safe and not going to get infected. As soon as you go to pirated sites or third party sites, the wheels come off.

Most Chinese and Russian Android markets contain trojanized apps, he says.

Mikko Hypponen, chief research officer at F-Secure, says China is one of the hot spots for Trojan-rigged app sources.

But even Android has had some good news malware-wise recently, despite the arrival of 61 new families of Android malware in the second half of last year, according to F-Secure's latest report.  According to Google, less than 1% of Android devices contained a potentially harmful app last year, and worldwide, the overall rate of these app installations dropped by 50% between the first and third quarters of 2014.

Damballa's Charles Lever, senior scientific researcher, says it's all about putting yourself at risk of infection in the US. Mobile malware is bad news, he says, but it's actually risk "exaggerated" for most users.

Mobile Active Defense's Green, meantime, points to how Apple's platform keeps users better updated with the newest versions of iOS: more than 78% of iOS users are on version 8.x today, he notes. "Less than 1% are on a version below [iOS] 6," he says. "They [Apple] have control of their environment, so it's easier to secure and button down than Android."

Despite the lack of data breaches and other attacks via mobile devices, it's still a mobile malware mess out there, experts say. "I think when it comes to mobile and the mobile threat, I don't think we're all on the same page about what the threat is," Green says. "The mass market is in bad app stores."

[Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security. Read Smartphone Security Shootout.]

There also are a few flaws in iOS and Android that are relatively easy to exploit, he says. Green will demo some easy-to-do mobile attacks in a presentation here on Friday called "Five Mobile Computing Vulnerabilities You Need to Know."

He plans to demo a design flaw that allows an attacker to sideload a Trojanized app onto a mobile device and exploit it within 3 minutes. It's a flaw in the root OS that allows an attacker to easily sideload an app, he says.

But like the desktop, the initial attack vector is typically a phishing email. In one scenario, the user clicks on a link in the phishing message purportedly from IT or an app vendor with an "update" to their software. "It's still the app doing stuff an app does for you, but now I have full mirroring of all the keystrokes on your" device, he says.

Another flaw, he says, has to do with profile files. "A profile on an iOS device gives you access to everything on the device. If you send a simple phishing email" with a malicious link, the attacker can get access to the device as well, says Green, who says his demo was assisted by a partner of his firm.

"There are very real flaws and vulns on these devices today that can be exploited today to get to the crown jewels of an individual or a company today," Green says. "If a moron like me who's non-technical" can do it, anyone can, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2015 | 5:35:49 AM
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/27/2015 | 11:56:36 PM
Re: Color Me Surprised - Future Mobile Opportunities
It all goes back to the lowest-hanging fruit always wins, right? There are some exceptions, of course, of nation-state targeting mobile, but that's because those types of attackers don't necessarily take the easy way in, and they are targeting.
User Rank: Ninja
4/27/2015 | 8:56:48 PM
Color Me Surprised - Future Mobile Opportunities
I have to admint I'm surprised.  For as many exploits as I've read about and mobile malware I've seen out in the ecosystem, I would have thought mobile would be higher up there.  But I gues you're right - it's about what can be gained now from hacking a mobile device vs a desktop in highly desirable data areas.  And, is the current source of threats really malware, anyway.

Now, fast-forward.  This won't last for long.  I think there is an opportunity here for humanitarian-minded techs to set up app servers for malware-clean, MD5-verified and supported app downloads for users who have the hardware and the mobile OS but no access to app stores like Android and Apple.  In fact, they will be safer for it, despite the difficulty rating of getting malware in those stores, it's often what you agree to share from the legal apps that gets you in trouble.  I see a future of detached app offerings that let users free their phones from highly commercialized and secretive corporate app servers.

Nevertheless, BYOD is booming and soon those mobile devices are going to be as sweet a target as any desktop since the data that everyone wants will be within a hop and a tether of every mobile OS on the premises.  While this report is surprising, it's not a reason to relax but a good time-cushion for strategizing future mobile security models.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.