By 2014 there were more mobile devices than people in the world. Looking at the GSMA device tracker today, shows a world filled with almost 8 billion devices, and nearly 5 billion unique subscribers. And of course these devices are much less about making calls from, and much more about mobile computing. Smartphone technology must be a candidate for the most disruptive technology of the 21st century. We use our phones to manage our lives; when Apple trademarked the saying “there’s an app for that”, they knew what they were doing. We use apps for just about everything; playing music, contacting friends, organizing our time, checking our health, and even banking. In a Pew Research report they found that 57% of U.S. citizens used their mobile phone to do online banking. In Europe, the situation is similar with 58% of people using their mobile device to shop online.
But it isn’t just the consumer that has embraced the ‘little computer in our pocket’. Mobile has gone corporate and moved into the office with the movement to Bring Your Own Device (BYOD) into work. This has transpired into acquisitions such as the purchase of the secure enterprise mobile solution vendor, Airwatch by VMWare for over $1 billion. This fits in with the expectations of the market size of BYOD to be around $360 billion by 2020. Juniper Research expect there to be 1 billion devices used as a BYOD by 2018. This movement to mobile computing gives cybercriminals another route into the corporation and one, which if we are not careful, may become our downfall.
The Mobile Threat
Mobile devices are being used for a myriad of tasks, from holding our personal data and financial information, to transacting online. Cyber criminals, not one for missing opportunities, have moved across to the mobile platform, along with the rest of us. Mobile cybersecurity threats are pretty much the same types as the threats we come across on any computing device. However, compounding factors such as apps and how they share our data takes mobile security into a different arena and opens up new opportunities for the hacker. OWASP collate a ‘top ten’ list of mobile threats, which shows in any given year, what types of security issues are plaguing the mobile community. The threats are expanding. Below is a short round-up of the types of common threats we are seeing on mobile devices:
App based malware
McAfee in the ‘Mobile Threat Report 2016’ shows how mobile malware has been steadily increasing over the past few years, with a major spike in new mobile malware in Q4 2015. Android phone apps have been notorious for housing malware within them. In 2014 it was estimated that 97% of mobile malware was Android based. However, IOS based malware is starting to emerge and many industry players predict that 2016 will be the year of IOS malware. This prediction is coming true as 2015 saw more IOS based malware than the previous 5 years according to security firm Bit9. We can only expect such success to continue. The first, non jail broken, IOS malware is known as Ace Deceiver and it arrived onto the cybercrime scene this year. Ace Deceiver uses a technique known as ‘Fairplay Man in the Middle’ to proliferate other malware via app downloads by exploiting a flaw in the Apple DRM code.
Phishing becomes mobile
Phishing has entered the mobile arena after its success on conventional devices. SMiShing is the mobile version of phishing where a text message is sent as an SMS message. Just like its desktop cousin, it looks legitimate and asks you to click on a link which takes you to a spoof site asking you to enter your credentials. The image below shows a typical SMiShing message – the link went to a spoof site hosted in Eastern Europe.
There is also Phishing malware that targets mobile banking users. A recent example being the mobile banking Trojan, Android.Fakelogin – an app based piece of malware. It works by recognising the banking app being used from the mobile device, then presenting a spoof page when the app is used, which then steals the bank login credentials.
The 1 billion devices that are being brought into the workplace by 2018, will each be connected up to the wider corporate network to allow those users to work off that device. This is like opening up a new entry point for cybercriminals to exploit. Spear phishing on a BYOD mobile device is the ideal way that a hacker could gain access to a wider network. One way to avoid this scenario is to use a mobile device management (MDM) system to provide access control to the network resources from an on-boarded mobile device. Couple this with second factor authentication, or adaptive authentication and you take the sails out of mobile phishing.
Ransomware has become one of the most popular types of cyber attack with a 5X increase over the last 12 months according to Kaspersky. Ransomware has now crossed the desktop / mobile chasm with specific ransomware attacks being targeted on mobile devices. Mobile ransomware, locks up your phone and places an onscreen message telling you to pay a ransom to get a code that unlocks your phone. The most successful mobile ransomware to date is known as ‘Fusob’. Fusob is an Android based malware which according to Kaspersky, is responsible for 56% of mobile ransomware attacks.
Making Mobile Secure
As our mobile devices become part of a wider network, connecting up at home, out and about, and at work, they become a conduit for cybercrime. We have to take the security on our mobile phones as seriously as we do that on our desktops and networks. This means ensuring we use the correct mitigation strategies, including setting privileged access control measures, applying second factor and adaptive authentication, and being security aware – from the individual through to the entire extended corporate ecosystem. If we do not take mobile security seriously now, we are essentially leaving the perimeter door open for worldwide hackers to enter.
Michael Liebi ist Gründer und nun als Board Member bei United Security Providers tätig.