Michael Shaulov, head of mobility at Check Point, discusses the main threats targeting mobile devices – and how companies can protect against them
As enterprises go increasingly mobile, it’s inevitable that cybercrime will follow.
Hackers and criminals know that when a technology shift happens, security often lags behind, meaning there is low-hanging fruit to be targeted.
Our 3rd annual mobility survey found that 72 percent of companies had experienced a 100 percent or greater increase in the number of personal mobile devices connecting to their networks during the past two years. So it’s no surprise that malware and other mobile threats are multiplying.
In fact, summer 2015 saw mobile malware being found both on Google Play and Apple’s ‘walled garden’ App Store, highlighting that criminals have found ways to bypass the security and review measures of both stores to spread infections to users’ devices. A 2015 study by Check Point and a global cellular network provider found that one in 1000 devices were infected with mobile surveillance and mobile Remote Access Trojans (mRATs). And while over half of infected devices were Android-based, 47 percent were iOS-based, challenging the common assumption that iOS is inherently more secure.
Mobiles are a juicy target for several reasons – they hold large amounts of personal and business data, including valuable user credentials for applications and websites; they’re almost always on and connected to the internet; and they have audio and video recording capabilities. And crucially, they usually do not receive anywhere near the same level of protection against malware or hacking as a PC, if they receive any at all. This means that a monitoring or data-stealing infection on a device could go unnoticed for months.
So what are the most dangerous threats to mobiles? There are hacker weapons and tricks which target both Apple and Android devices, as well as threats that are specific to each vendors’ operating system. Here, we’ll examine both the common, and OS-specific threats in detail.
These attacks give an attacker the ability to remotely gain access to everything stored on and flowing through either Android or iOS devices. mRATs commonly find their way onto Android devices through apps available on Google marketplace, despite Google working hard to protect them with regular security code checks. iOS devices are equally vulnerable as attackers can ‘jailbreak’ a device, removing all the built-in iOS security mechanisms, by physically obtaining access or by propagating the jailbreak code from a compromised computer, before installing mRATs onto the device. Threats have also emerged that are capable of targeting non-jailbroken iOS devices, such as 2014’s WireLurker and 2015’s YiSpecter malware.
WiFi man in the middle (MitM)
A MitM attack can occur when any type of device connects to a rogue WiFi hotspot. Since all communications are passed through the attacker-controlled network device, they can eavesdrop and even alter the network’s communication. MitM attacks have always been a concern for wireless devices, however, the prevalence of smartphones in an individual’s personal and business life has made mobile devices much more attractive targets for attackers. These attacks are very difficult for mobile users to spot as the typical alerts and warning signs that individuals are used to seeing on PCs and laptops are much more subtle on mobiles due to the limited screen size and simplified browsers.
Zero-day attacks represent exploits of vulnerabilities on both iOS and Android that have been uncovered – but not yet released. Many times, these vulnerabilities lead to the silent installation of attacks, such as mRATs on a device through a remote exploitation technique. Once on the device, they may enable the attacker to steal passwords, corporate data and emails, as well as capture all keyboard activity and screen information.
Exploiting elevated privileges on Android
Android system vulnerabilities can be exploited to gain elevated privileges without leaving a trace, such as the recent Certifigate vulnerability that affected hundreds of millions of devices. The attacks take advantage of opportunities created by the fragmentation of the Android operating system and the openness and vastness of its eco-system, creating opportunities for attackers to infiltrate devices and orchestrate a broad range of attacks.
Fake iOS certificates
These attacks use distribution certificates to ‘side-load’ an application, sidestepping Apple’s app store validation process by downloading straight onto the device. This method has already been seen in use, for example in mid-2013 a rogue Chinese site used an enterprise certificate to distribute pirated iOS-based apps, enabling attackers wide ranging access to data on Apple devices.
Malicious iOS profiles
These attacks use the permissions of a profile to circumvent typical security mechanisms, enabling an attacker to do almost anything. A user may be tricked into downloading a malicious profile and in doing so, they may unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attacker-controlled server, to further install rogue apps, and even to decrypt communications.
iOS WebKit vulnerabilities
WebKits enable web browsers to render web pages correctly for a user. Attackers will exploit vulnerabilities in a Webkit to execute scripts of their own, sidestepping the robust security measures implemented by Apple. Attackers commonly use them as a springboard for remote device infection.
With attackers targeting mobile devices using such an arsenal of techniques, it is critical that organisations ensure they have a mobile threat prevention solution in place that delivers a range of capabilities and protections in order to stop device hijacking and data interception. The ideal solution should be able to:
· analyse apps as they are downloaded to devices, examining their behaviour in a virtualised environment before allowing their use, or flagging them as malicious.
· regularly assess devices for vulnerabilities and signs of being targeted by attackers
· mitigate network-based attacks by identifying suspicious network behaviour, correlating events both on the device and network to disable suspicious activity and prevent any data being sent to an attacker
As mobile becomes the next security battleground, organisations will need to adopt the same rigorous approaches to protecting their mobile estate as they do to the rest of their IT infrastructure – or risk being vulnerable to the weapons of mobile warfare.