Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Hacking The Real Mobile Threats

Mobile malware remains a mess, but the actual threat depends on where you live and where you get your apps.

INTEROP -- Las Vegas -- Verizon's new data breach report shows mobile is not a factor in cyberattacks thus far. And last week, a new study from Damballa looking at half of all US mobile traffic found users are 1.3 times more likely to get struck by lightning than to be infected with mobile malware.

Meanwhile, mobile malware families continue emerging -- 61 new ones for Android alone in the second half of 2014, according to F-Secure  -- and popular smartphones are leaking private and possibly sensitive corporate data.

But the bad guys are more likely to target corporate users with good ol' desktop malware. So what gives?

"BYOD in and of itself is a vulnerability," says Eric Green, senior vice president of Mobile Active Defense. "The biggest differences between iOS and Android is fragmentation," with each carrier and device putting its own spin on the Android platform, he says.

US mobile users are generally safer than those in Russia or China, for instance, who typically don't have access to a vetted app store like Apple's or Google Play via their off-market devices and services, experts say.

Chet Wisniewski, senior security advisor at Sophos, says his data syncs with what Verizon saw in its data breach investigations last year. Just .2% of sites he surveyed contained malicious Android malware; Verizon found .3%.

Some 90% of infected mobile devices were in Eastern Europe and China. "All off-market … not from a legitimate site," he says. "If your Android phone is not going off-market, you're safe and not going to get infected. As soon as you go to pirated sites or third party sites, the wheels come off.

Most Chinese and Russian Android markets contain trojanized apps, he says.

Mikko Hypponen, chief research officer at F-Secure, says China is one of the hot spots for Trojan-rigged app sources.

But even Android has had some good news malware-wise recently, despite the arrival of 61 new families of Android malware in the second half of last year, according to F-Secure's latest report.  According to Google, less than 1% of Android devices contained a potentially harmful app last year, and worldwide, the overall rate of these app installations dropped by 50% between the first and third quarters of 2014.

Damballa's Charles Lever, senior scientific researcher, says it's all about putting yourself at risk of infection in the US. Mobile malware is bad news, he says, but it's actually risk "exaggerated" for most users.

Mobile Active Defense's Green, meantime, points to how Apple's platform keeps users better updated with the newest versions of iOS: more than 78% of iOS users are on version 8.x today, he notes. "Less than 1% are on a version below [iOS] 6," he says. "They [Apple] have control of their environment, so it's easier to secure and button down than Android."

Despite the lack of data breaches and other attacks via mobile devices, it's still a mobile malware mess out there, experts say. "I think when it comes to mobile and the mobile threat, I don't think we're all on the same page about what the threat is," Green says. "The mass market is in bad app stores."

[Researcher compared Apple iOS, Android, Windows smartphones for business use privacy and security. Read Smartphone Security Shootout.]

There also are a few flaws in iOS and Android that are relatively easy to exploit, he says. Green will demo some easy-to-do mobile attacks in a presentation here on Friday called "Five Mobile Computing Vulnerabilities You Need to Know."

He plans to demo a design flaw that allows an attacker to sideload a Trojanized app onto a mobile device and exploit it within 3 minutes. It's a flaw in the root OS that allows an attacker to easily sideload an app, he says.

But like the desktop, the initial attack vector is typically a phishing email. In one scenario, the user clicks on a link in the phishing message purportedly from IT or an app vendor with an "update" to their software. "It's still the app doing stuff an app does for you, but now I have full mirroring of all the keystrokes on your" device, he says.

Another flaw, he says, has to do with profile files. "A profile on an iOS device gives you access to everything on the device. If you send a simple phishing email" with a malicious link, the attacker can get access to the device as well, says Green, who says his demo was assisted by a partner of his firm.

"There are very real flaws and vulns on these devices today that can be exploited today to get to the crown jewels of an individual or a company today," Green says. "If a moron like me who's non-technical" can do it, anyone can, he says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/29/2015 | 5:35:49 AM
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/27/2015 | 11:56:36 PM
Re: Color Me Surprised - Future Mobile Opportunities
It all goes back to the lowest-hanging fruit always wins, right? There are some exceptions, of course, of nation-state targeting mobile, but that's because those types of attackers don't necessarily take the easy way in, and they are targeting.
User Rank: Ninja
4/27/2015 | 8:56:48 PM
Color Me Surprised - Future Mobile Opportunities
I have to admint I'm surprised.  For as many exploits as I've read about and mobile malware I've seen out in the ecosystem, I would have thought mobile would be higher up there.  But I gues you're right - it's about what can be gained now from hacking a mobile device vs a desktop in highly desirable data areas.  And, is the current source of threats really malware, anyway.

Now, fast-forward.  This won't last for long.  I think there is an opportunity here for humanitarian-minded techs to set up app servers for malware-clean, MD5-verified and supported app downloads for users who have the hardware and the mobile OS but no access to app stores like Android and Apple.  In fact, they will be safer for it, despite the difficulty rating of getting malware in those stores, it's often what you agree to share from the legal apps that gets you in trouble.  I see a future of detached app offerings that let users free their phones from highly commercialized and secretive corporate app servers.

Nevertheless, BYOD is booming and soon those mobile devices are going to be as sweet a target as any desktop since the data that everyone wants will be within a hop and a tether of every mobile OS on the premises.  While this report is surprising, it's not a reason to relax but a good time-cushion for strategizing future mobile security models.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
PUBLISHED: 2019-07-19
** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot e...
PUBLISHED: 2019-07-19
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
PUBLISHED: 2019-07-19
A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Agent Option modules that are impacted are as follows: 10.0 for Apache 2.2 on RHEL 5 and 6, 10.0 for Apache 2.4 on RHEL 7, ...