Jamie Andrews, EMEA Partner Director at Lookout, outlines the most popular tactics used by hackers to target individuals on their mobile devices and how to best mitigate against these threats.
Apple’s iOS and Google’s Android smartphone operating systems and mobile application development have revolutionised the way we work today. It has allowed us to operate on the go, be available anywhere in the world, in any time zone, while offering all manners of convenience and practicality.
In fact, by 2022, the global mobile workforce is expected to increase from 1.45 billion to 1.87 billion. Tasks that were traditionally conducted from a desktop can now be done with the swipe of a finger including checking work emails, downloading documents, accessing files remotely and even hosting conference calls.
This technological shift has meant almost all mobile workers have a smartphone. The fact is that mobile tariff subscriptions account for 97% of Europe’s population. Organisations are seeing increased levels in productivity as a result of this upward mobility and flexible working, which in turn drive corporate mobile management strategies that adopt a BYOD (bring your own device) model.
Ultimately, in many organisations, employees are encouraged to use their personal mobiles, tablets or notebooks to access corporate systems and data, and that flexibility is seen by many as a benefit. Unfortunately, these developments are creating an expanding attack surface which is leaving enterprise data and services vulnerable.
Traditional endpoints and security
History dictates that protecting traditional, large form factor endpoints running Windows and Mac OS has been a priority for enterprises. Network perimeter solutions like firewalls, or endpoint security products like AV, have been employed to mitigate against malware and provide email security which help reduce cyber attacks. The modern-day cybercriminal is highly advanced, organised, often well-funded, and technically astute.
Although effective in maintaining and increasing employee productivity, mobile devices are usually connected outside traditional firewalls, and typically lack endpoint security solutions. That is of course recognised by Cyber and Security operations teams as a considerable concern as these devices have the same level of access to the company networks, systems and data as other endpoints.
There appears to be an underlying lack of understanding of the key threats challenging the security of the two main mobile operating system platforms we use, and/or a lack of awareness of the threats facing mobile devices.
Without visibility into the risks facing smartphone users, the situation for enterprises is troublesome. There is a misconception that smartphones today are immune to malware, but due to the low rate of dedicated security software on mobile devices organisations simply aren’t aware of the spectrum of risks out there today.
It is key to understand there are several new attack vectors that expose vulnerabilities that the malicious actor is keen to exploit, and if not addressed, leave both the user and the enterprise open to threats.
Major mobile threats
Smartphones have opened a profitable new window of opportunity for cybercriminals who are eager to exploit these pocket-sized super computers. The manufacturers do their utmost to keep software updated and patched, but this only prevents exploitation from known threats.
The reality being that on-device security does not remediate against new threats. For instance, hackers have been known to target the firmware and operating systems of mobile phones by bypassing the Mobile Device Management (MDM) software to obtain full control over the device.
The Pegasus spyware is the most relevant example of a highly sophisticated and targeted, high-impact threat for both iOS and Android devices.
Attack methods vary on mobile but generally follow the same ‘mobile kill chain’.
Firstly, hackers socially engineer the user, with the most common being malicious URL’s either embedded into web pages and emails or more predominantly phishing links sent via SMS and popular social messaging apps.
While traditional email-based attacks still remains a problem, the proliferation of social media means hackers are now targeting instant messaging applications. The small form factor of a smartphone means it is more difficult to detect the usual tell-tell signs of a dubious link.
In some cases, to maximise the viewing space on the screen, the address bar is completely hidden from the users view. This makes it extremely difficult for individuals to ascertain the legitimacy of links/URLs.
It is unsurprising then to learn that users are three times more likely to click on a malicious URL on a mobile device. Mobile design modifications which were intended to improve user experience, have inadvertently exposed individuals by giving hackers the cover to deploy phishing campaigns, resulting in a marked increase in the proliferation of surveillance and spyware, ransomware and stolen credentials.
While mobile phishing is largely prevalent, enterprises are vigilant to the other risks facing users. The spectrum of mobile risks has expanded, and where network threats were once an issue resolved by having firewalls in place, smartphones give hackers more avenues to exploit weaknesses.
Due to the high number of networks a mobile device encounters in a single day, attackers can exploit insecure or vulnerable networks that could lead to enterprise data being stolen through “man-in-the-middle” attacks and by attaching to rogue Wi-Fi networks.
Organisations should be wary of the applications being downloaded or installed from App stores, as these present a significant challenge. For instance, it is more common to find mobile apps with malware than it is on PC applications.
Critical vulnerabilities have been discovered within apps that could allow adversaries to compromise, not only the information a user views in an app, such as business emails and log in details, but also a victim’s cloud service account and all of the information tied to that account.
Dedicated mobile security is a necessity
Mobile threat defence is climbing up the risk register and will become integral to organisations cyber security strategies. The key to success is for organisations to adopt a Zero-Trust approach towards all devices. This will label the mobile device as untrustworthy with access only granted once the acceptable level of risk has been mitigated and the within expected security parameters.
Implementing network checks, sophisticated jail break and root detection prior to authentication into services, and phishing and content protection to act as a defence layer, is an excellent starting point. Validating apps and websites, alerting users as to whether a link or app is safe, frequent device health checks, vulnerability assessments and constant auditing are needed and must expand to cover all endpoints.
When discussing endpoint security iOS, Android and Windows devices should be treated equally but at present they are not. With the risk of mobile attacks growing on a daily basis, the number of incidents resulting in loss will increase through 2020 where organisations fail to harden their iOS and Android device fleets. The industry needs to recognise and react to this trend.