Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Hacking The Real Mobile Threats

Mobile malware remains a mess, but the actual threat depends on where you live and where you get your apps.

INTEROP -- Las Vegas -- Verizon's new data breach report shows mobile is not a factor in cyberattacks thus far. And last week, a new study from Damballa looking at half of all US mobile traffic found users are 1.3 times more likely to get struck by lightning than to be infected with mobile malware.

Meanwhile, mobile malware families continue emerging -- 61 new ones for Android alone in the second half of 2014, according to F-Secure  -- and popular smartphones are leaking private and possibly sensitive corporate data.

But the bad guys are more likely to target corporate users with good ol' desktop malware. So what gives?

"BYOD in and of itself is a vulnerability," says Eric Green, senior vice president of Mobile Active Defense. "The biggest differences between iOS and Android is fragmentation," with each carrier and device putting its own spin on the Android platform, he says.

US mobile users are generally safer than those in Russia or China, for instance, who typically don't have access to a vetted app store like Apple's or Google Play via their off-market devices and services, experts say.

Chet Wisniewski, senior security advisor at Sophos, says his data syncs with what Verizon saw in its data breach investigations last year. Just .2% of sites he surveyed contained malicious Android malware; Verizon found .3%.

Some 90% of infected mobile devices were in Eastern Europe and China. "All off-market … not from a legitimate site," he says. "If your Android phone is not going off-market, you're safe and not going to get infected. As soon as you go to pirated sites or third party sites, the wheels come off.

Most Chinese and Russian Android markets contain trojanized apps, he says.

Mikko Hypponen, chief research officer at F-Secure, says China is one of the hot spots for Trojan-rigged app sources.

But even Android has had some good news malware-wise recently, despite the arrival of 61 new families of Android malware in the second half of last year, according to F-Secure's latest report.  According to Google, less than 1% of Android devices contained a potentially harmful app last year, and worldwide, the overall rate of these app installations dropped by 50% between the first and third quarters of 2014.

Damballa's Charles Lever, senior scientific researcher, says it's all about putting yourself at risk of infection in the US. Mobile malware is bad news, he says, but it's actually risk "exaggerated" for most users.

Mobile Active Defense's Green, meantime, points to how Apple's platform keeps users better updated with the newest versions of iOS: more than 78% of iOS users are on version 8.x today, he notes. "Less than 1% are on a version below [iOS] 6," he says. "They [Apple] have control of their environment, so it's easier to secure and button down than Android."

Despite the lack of data breaches and other attacks via mobile devices, it's still a mobile malware mess out there, experts say. "I think when it comes to mobile and the mobile threat, I don't think we're all on the same page about what the threat is," Green says. "The mass market is in bad app stores."

[Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security. Read Smartphone Security Shootout.]

There also are a few flaws in iOS and Android that are relatively easy to exploit, he says. Green will demo some easy-to-do mobile attacks in a presentation here on Friday called "Five Mobile Computing Vulnerabilities You Need to Know."

He plans to demo a design flaw that allows an attacker to sideload a Trojanized app onto a mobile device and exploit it within 3 minutes. It's a flaw in the root OS that allows an attacker to easily sideload an app, he says.

But like the desktop, the initial attack vector is typically a phishing email. In one scenario, the user clicks on a link in the phishing message purportedly from IT or an app vendor with an "update" to their software. "It's still the app doing stuff an app does for you, but now I have full mirroring of all the keystrokes on your" device, he says.

Another flaw, he says, has to do with profile files. "A profile on an iOS device gives you access to everything on the device. If you send a simple phishing email" with a malicious link, the attacker can get access to the device as well, says Green, who says his demo was assisted by a partner of his firm.

"There are very real flaws and vulns on these devices today that can be exploited today to get to the crown jewels of an individual or a company today," Green says. "If a moron like me who's non-technical" can do it, anyone can, he says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2015 | 5:35:49 AM
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/27/2015 | 11:56:36 PM
Re: Color Me Surprised - Future Mobile Opportunities
It all goes back to the lowest-hanging fruit always wins, right? There are some exceptions, of course, of nation-state targeting mobile, but that's because those types of attackers don't necessarily take the easy way in, and they are targeting.
User Rank: Ninja
4/27/2015 | 8:56:48 PM
Color Me Surprised - Future Mobile Opportunities
I have to admint I'm surprised.  For as many exploits as I've read about and mobile malware I've seen out in the ecosystem, I would have thought mobile would be higher up there.  But I gues you're right - it's about what can be gained now from hacking a mobile device vs a desktop in highly desirable data areas.  And, is the current source of threats really malware, anyway.

Now, fast-forward.  This won't last for long.  I think there is an opportunity here for humanitarian-minded techs to set up app servers for malware-clean, MD5-verified and supported app downloads for users who have the hardware and the mobile OS but no access to app stores like Android and Apple.  In fact, they will be safer for it, despite the difficulty rating of getting malware in those stores, it's often what you agree to share from the legal apps that gets you in trouble.  I see a future of detached app offerings that let users free their phones from highly commercialized and secretive corporate app servers.

Nevertheless, BYOD is booming and soon those mobile devices are going to be as sweet a target as any desktop since the data that everyone wants will be within a hop and a tether of every mobile OS on the premises.  While this report is surprising, it's not a reason to relax but a good time-cushion for strategizing future mobile security models.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...