Attacks that proved successful on PCs are now being tested on unwitting mobile device users to see what works – and with the number of mobile devices with poor protection soaring, there are plenty of easy targets. “Attackers are definitely searching after the weakest point in the chain,” and then honing in on the most successful scams, says Lior Kohavi, CTO at CYREN, a cloud-based security solutions provider in McLean, Va.
Google’s Android operating system averaged 5,768 malware attacks daily over a six-month period, according to CYREN’s Security Report for 2013. Today more than 99 percent of new mobile malware is designed to target Android, according to a Q1 2014 Mobile Threat Report by security firm F-Secure Corp. based in Finland. But that doesn’t mean iOS for Apple iPhone or iPads are immune. The number of documented vulnerabilities for iOS Apple iPhone and iPads increased 82 percent in 2013, according to a Symantec report, though it adds that doesn’t necessarily lead to malware that exploits those vulnerabilities.
BYOD programs entice hackers even more, with the holy grail now being to infiltrate a company’s perimeter through mobile devices, either through social engineering scams that get access to company data through a mobile device, or just by sitting across the street and attacking the company’s WiFi through an infected mobile phone. Small and midsize businesses face higher risks because they’re often not able to keep up with BYOD policies, and threats can change every three to six months.
With all of that in mind, here are five new threats to your mobile device security:
1. Mobile phishing and ransomware
Just like the PC scams, bad guys are using social engineering through mobile apps and SMS text messages, which take advantage of human behavior and trust to gain access to data or infiltrate businesses, to make people click on links. Malware then ends up on the user’s PC.
“If they can make you believe a message is from a trusted source, chances are you will click,” says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla. “This trick has been used with email, instant messaging, social networks, and [now] they are even spoofing SMS text messages.” Even email messages, when opened on a mobile device, can infect laptops and enterprise systems. Sjouwerman advises mobile users to check for red flags. “If you click on an email message from a mobile app without checking for anything suspicious, you might download malware and infect your PC, so think before you click!”
Sjouwerman also sees an increase in ransomware via mobile devices that run Google’s Android OS. In this case, the mobile user opens an infected attachment, which locks all files until the user pays $500.
“It's been around for PCs for a while, and it's now out there in the wild for Android phones, as well,” he says. The most common source of the infection, he adds, is from manually downloading software that claims to be a video player from a website other than the Google Play App Store.
2. Using an infected mobile device to infiltrate nearby devices
When working inside a company to identify vulnerabilities, pentester and mobile security expert Georgia Weidman recently asked herself from a hacker’s perspective, “wouldn’t it be nice if we could just walk into the network with a compromised phone and have direct network access” by way of a client side attack or social engineering. She concluded that in many cases you can.
“An infected mobile device allows you to breach an organization's perimeter and directly attack the devices on the network instead of having to break in some other way, you've already got direct network access,” Weidman says.
Consider a simple scenario. An Android device has been infected with the Smartphone-Pentest-Framework, or SPF Agent. The unsuspecting user thinks it’s an official news app, for instance, and thinks nothing of it, but it is also communicating with an SPF console that’s giving thieves access to mobile device data. That device is sharing WiFi with the laptop sitting nearby, and the thief is also able to breach the laptop, which contains company information or access to corporate systems.
“If I have control of their mobile devices, I can go the traditional route like stealing their contacts or sending text messages to a premium number, but also if the device is connected to a WiFi network I can attack additional systems on that network from the infected phone,” she explains. “Whether I’m connected to my home WiFi, work WiFi or Starbucks WiFi, if there are any devices with vulnerabilities on that network, I can potentially exploit them directly from the infected mobile device.”
3. Cross-platform banking attacks
Gangs are also using malware on PCs to infiltrate mobile phones in hybrid attacks on user’s banking accounts, according to John Shier, security advisor at Sophos. A piece of malware dropped on the user’s laptop can detect when the user is surfing his banking website. Dubbed a “man in the browser” attack – the spying is all done in browser memory “so they can intercept your banking credentials before they get encrypted and sent across the wire,” he explains. Adding to the scam, thieves put up a warning message, such as “for increased security, download this app,” and they ask for the user’s phone number and email address to send an SMS to their phone or to download a link.
“You click on the SMS and download the app, and they basically own your desktop and your phone,” he says.
4. Cryptocurrency mining attacks
Wondering why your mobile device is losing battery power too quickly or why it feels overheated? You might have cryptocurrency mining malware on your device. The malware infiltrates mobile devices in search of digital currencies, like Bitcoin, Litecoin and Dogecoin.
Found mostly in Android devices, the apps were injected in many cases with the CPU mining code from a legitimate Android cryptocurrency mining app. The miner is started as a background service once it detects that the affected device is connected to the internet. By default, it launches the CPU miner to connect to a dynamic domain, which then redirects to an anonymous digital currency mining pool.
“The reality is that the capabilities on the phone aren’t as great as they are in a big server or mainframe attacks,” says Kohavi. “But it’s a trial and error for these organized criminals to be able to put their foot into an area and then leverage that and see what they can get out of it.”
5. The enemy is us
Despite the 24/7 reliance on mobile devices by most consumers, they don’t appear to be getting any smarter about security, researchers say. In 2012, 44 percent of adults were unaware that security solutions existed for mobile devices, according to Symantec’s Threat Report. That number rose to 57 percent in a 2013 Threat Report, released in April 2014. A lack of education among mobile users is partly to blame, according to report. Also, people who had feature phones with limited security requirements became smartphone users and weren’t aware of the need to install a security app.
Looking ahead, experts agree that mobile device malware and scams will only increase as users pack their mobile phones with more rich and sensitive data – and the implications will be even greater for businesses that hire young workers.
“Gen Y is a very social and sharing culture,” says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta. With a new generation of workforce emerging, “it’s going to be interesting to see how they handle [their sensitive information]. There’s so much information already out there – you just can’t go get it back.”