This article originally appeared in Threatpost on February 14, 2019.
A Threatpost poll found that 52 percent don’t feel prepared to prevent a mobile security incident from happening. The results reflect a challenging mobile security landscape.
A Threatpost survey of readers found over half of respondents don’t feel sufficiently prepared to prevent or handle a security incident stemming from mobile devices in their firm.
The informal survey results should serve as harbinger for security professionals in light of the fact that 80 percent of enterprise IT decision makers say their employees can’t do their jobs effectively without a mobile phone.
According to over 100 respondents to the Threatpost survey, 52 percent said they are struggling to keep pace securing the phones, tablets and applications that offer an expanding gateway for adversaries to infiltrate corporate networks.
A rash of high-profile mobile security incidents prompted the survey. Just in the past week, Apple patched a massive flaw in its FaceTime app allowing a bad actor to eavesdrop on victims. In the same period, a malicious app that aimed to steal cryptocurrency from users was removed from Google’s official Android App Store.
And the future looks grim. Up to 59 percent of survey respondents said that in 2019, they think securing mobile devices will only get more difficult.
“I think we will see several changes in the ecosystem depending on the sophistication of an attacker,” Michael Flossman, head of threat intelligence at Lookout, told Threatpost. “For actors that might not be technically advanced or are operating on a tight budget, we’ve seen them take advantage of the low barrier to entry when it comes to gaining sensitive information from mobile devices. This is largely to do with the fact that both mobile phishing and mobile surveillanceware are becoming commoditized.”
A Wave of Threats
More workplaces are relying heavily on. mobile. According to Samsung research, nearly 75 percent of enterprise IT decision makers said mobile devices are essential to their business workflows.
Meanwhile, threat actors are turning their attention to mobile devices with a mix of old and new threats; including simple phishing all the way up to sophisticated spyware.
“There is an entire spectrum of mobile risk and each of these risks have a different effect on an enterprise based on prevalence and impact,” Flossman said. “Mobile phishing has evolved to take advantage of the fact that the traditional corporate security perimeter has essentially disappeared.”
Vulnerabilities exist in several mobile products that can leak valuable personal or corporate data. In September, a passcode bypass vulnerability in Apple’s new iOS version 12 allowed an attacker to access photos and contacts in iPhones.
In November, a flaw was disclosed in the Android mobile operating system that could allow an attacker with physical proximity to a WiFi router to track the location of users within the router’s range.
However, simple phishing techniques that target mobile device users – either via texts, voicemail, or even traditional email – continues to be a top concern for IT administrators.
In fact, according to Proofpoint research, up to 49 percent have experienced “voice phishing” (when bad actors use social engineering over the phone to gain access to personal data) or “SMS/text phishing” tactics (when social engineering is used via texts to collect personal data) in 2018. That’s up from the 45 percent of those who experienced these methods in 2017.
A recent phishing campaign made use of the user interface on mobile devices for instance by using Google Translate as its malicious landing page. While the landing page had obvious clues that it was malicious, the message looked much more convincing in its condensed state on mobile devices, researchers said.
At a high level, advanced persistent threat (APT) groups are turning to mobile platforms as an easy, lucrative landscape to exploit. Dark Caracal, for instance, which was first discovered by researchers in January 2018, is the first known global campaign that steals data from Android devices.
Personal Use and Data Apps
When Threatpost asked respondents which mobile user habits present the biggest risks to corporate data, 46 percent said that using personal phones for corporate use poses the biggest threat.
Indeed, as more mobile devices are deployed at work, employees are using those devices for various personal functions – potentially opening up concerning security threats that could compromise the enterprise.
“Companies that allow BYOD [bring your own device] should develop and enforce policies that lay down rules on app downloads, allowable/blocklisted websites, etc,” Usman Rahim, digital threat analyst with The Media Trust, told Threatpost. “They should also provide endpoint security, monitor the devices, and train employees on how to keep their devices secure.”
A main concern specifically with personal use of corporate phones is through apps – specifically malicious apps or ones that could potentially leak data.
“Corporate devices are personal now, as well,” Flossman said. “Social media apps, messaging apps, and others create an environment where employees can be phished and corporate credentials stolen through personal activities.”
In fact, according to Threatpost’s poll, 50 percent of respondents said that they believe enterprises are least equipped to handle data leaking apps (that’s more than those who pointed to mobile phishing, at 32 percent, network attacks at 11 percent, and spyware at 5 percent).
And 41 percent of respondents said that they think mobile app attacks should be prioritized as part of an enterprise mobile security strategy.
With malicious apps being outed almost weekly on Google Play, that might not be a surprise. In January, Google Play removed two malicious apps that were infecting devices with a notorious banking malware bent on scooping up victim’s credentials. Also in January an Android spyware dubbed MobSTSPY emerged to ride trojanized apps, mainly via Google Play.
Also, early last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to WiFi signal boosters that together were downloaded up to 7.5 million times from the Google Play marketplace.
Also in danger is personal data. A report in April found that millions of apps leak personal identifiable information such as name, age, income and possibly even phone numbers and email addresses. At fault are app developers who do not protect ad-targeting data transmitted to third-party advertisers.
Will LaSala, director of security services and security evangelist at OneSpan, told Threatpost that approximately 30 percent of all breaches resulting from a vulnerability at the application layer.
Moving forward, he said that internal company application development and business operations (DevOps) will start to play a bigger role in the enterprise when it comes to securing these types of apps.
“The role of DevOps and DevSecOps has moved beyond protecting consumer-facing apps and is now looking at how to protect internal enterprise security applications, such as an organization’s single sign-on applications,” said LaSala. “We will see DevSecOps turn to intelligent authentication technology to help protect and simplify the potential risks associated with employee application platforms.”
‘Game Of Cat And Mouse’
How can enterprises create effective strategies for security threats that are seemingly impossible to keep up with? Security experts are optimistic to a degree.
Flossman said that he believes security in the mobile space “mirrors the cat and mouse game between attackers and defenders that we’ve seen play out over the years in the desktop space as well.”
Several mobile device management (MDM) and enterprise mobility management (EMM) offerings are also available. MDM is a software that allows IT administrators to control, secure and enforce policies on mobile devices, while EMM gives firms the ability to securely enable employee use of mobile devices and applications.
However, beyond these types of services there needs to be a cultural shift for enterprises. Companies should adopt a post-perimeter security architecture that establishes zero trust access model and moves key security functions to the endpoint, while continuously monitoring risk, Flossman said.
“Ultimately for enterprises this comes down to having visibility into their mobile endpoints and ensuring that they’re preemptively taking steps to ensure the security of these devices,” he said.