Malware is a word that strikes fear into the hearts of users of digital devices. Many of us associate it with attacks on networks or individual computers. It’s easy to forget that mobiles can also come under attack from malicious software.
Intelligent CIO spoke to: Anvee Alderton, Channel Manager for southern Africa, TrendMicro; Morey Haber, VP of Technology, BeyondTrust; Michael Morton, Mobile Security Specialist, Securicom; Riaan Badenhorst, General Manager, Kaspersky Lab; Erhard Brand, Product Owner, Entersekt; and Ian Jansen van Rensburg, Senior Manager: Systems Engineering, VMware, about the nature of the threat mobile users face from malware.
As Morey Haber, VP of Technology at BeyondTrust, points out: “Mobile device malware is appealing to cybercriminals because the attack does not require you to penetrate an organisation’s perimeter or cloud resources directly. All an attacker needs to know is the phone number of a potential target, the OS version of the target (unless they have a zero-day attack or social engineering exploit) and a delivery mechanism (e.g. SMS, Google Play Store, hijacked website).”
Michael Morton, Mobile Security Specialist at Securicom, believes there are various reasons for attackers to hone in on mobile devices. These include the array of OS versions available which make it more complex for IT to manage and protect as well as the amount and type of personal information that you store on your phone – such as banking applications with your financial information and photographs and memories that you don’t have backed up – the likes of which allow attackers to feel fairly confident that a victim will pay to get that information back.
Any industry that utilises mobile devices opens themselves up to the risk of mobile malware attacks but as Haber explains, the verticals generally more prone to targeted attacks are those who have ‘crown jewels’ that can be monetised or used for hacktivism. This includes financial organisations, governments and defence contractors.
Similarly, Morton highlights that the mobile applications most likely to be targeted are those which have the potential to obtain information or cause harm, including DropBox, OneDrive, GoogleDrive, Facebook, Skype and Twitter.
Vulnerability of Android
There are an estimated 1.4 billion Android devices in use today and Anvee Alderton, TrendMicro’s Channel Manager, says: “Attacks on Android devices made up 81% of mobile attacks last year.”
So, what is it about Android that makes it an easy target for attackers? Ian Jansen van Rensburg, Senior Manager: Systems Engineering for VMWare, explains that one such weakness comes from Android being an open-source operating system. This leads to an alarming number of OS versions available which makes it difficult to lock down and control all the vulnerabilities that emerge from this.
Haber also points to the following reasons for Android’s position as a target:
Screening – The Google Play Store is not as secure as the Apple Store and does not screen applications to the depth needed to prevent malware.
Fragmentation – Each mobile device vendor uses a stock version of Android and modifies it to meet their unique hardware and software requirements. This introduces vulnerabilities that are only remediated by the manufacturer, and not Google. Therefore, it is up to each vendor to create, deploy, and support updates. This is compounded by support provided by individual cellular carriers as well. This decentralisation and lack of clear update paths creates opportunities for threat actors to attack individual (or broad based) weaknesses.
Third party installation – Even though Android has a feature to block third party applications from being installed, it can easily be turned off to install other applications (outside of the Google Play Store). This introduces a high risk of having a malicious application loaded and forgetting to reset the option. In comparison, side-loading applications in Apple iOS is much more complicated and not as easy to exploit.
Risks to your organisation
As personal devices are increasingly being used in the workplace, a new era of cyber threats has been introduced to the enterprise. Despite this, CIOs are not adjusting their cybersecurity plans to accommodate for the change.
Before proactively protecting your organisation from the risks of mobile malware, it’s important to know what they are; as with any cyber threat, awareness is key for protection and prevention.
At device level, Riaan Badenhorst, General Manager at Kaspersky Lab, explains that as a result of a malware virus, users may notice the device slowing down, the presence of pop-ups, unwanted adverts, redirection to suspicious websites with harmful intent and in some cases the device can stop working completely.
BeyondTrust’s Haber claims malware on Android devices essentially becomes a ‘spy’ for threat actors, allowing them the ability for keystroke logging and screen capturing. These surveillance techniques can allow attackers access to confidential passwords, sensitive data and insider company intel.
At enterprise level, Jansen van Rensburg lists the risks of mobile malware as: bad publicity, loss of business partners and new and existing customers, disruption of business operations, increased costs and financial loss and litigation.
It’s important to remain aware of the fact that every time an employee connects a personal device to the corporate network, it presents a new and evolving challenge for the IT team managing these devices. These devices are not immune to the realities of mobile malware infections and most will carry business critical or sensitive information. Badenhorst reminds CIOs that as these devices become part of the company infrastructure, they present a potential entry point of choice for attackers to infiltrate the business, its servers and the opportunity to gain access to critical information.
Morton presents the following example to demonstrate how easy it can be for exploits to bypass your firewall using mobile devices as an entry point: “Let us use a corporate SharePoint as an example. SharePoint can be accessed on a laptop, but application developers have now also created an iOS and Android application. So, this gives employees access to the corporate SharePoint server behind your firewall. What can go wrong?
“The risk lies with the end user downloading the SharePoint application. Instead of using the Google Play store, the application now gets downloaded from a third party site. Although this application looks and feels like the real SharePoint application, exploits might have been built in to capture corporate information, or to imbed malicious content on a document that now sits behind your firewall, on the corporate network.”
Challenges in combating mobile malware
Despite user’s best intentions, Brand points out that occasionally mobile devices will have malware applications side-loaded on to them before they are sold, meaning they are in a rooted state on purchase. “It is possible to perform certain device-level checks to determine if a device is rooted,” Brand says. “While a rooted status is not necessarily an indication that a device has been compromised, it does mean that it would be a lot easier for malware to live there without being detected. Knowing the root status of a device informs the user that their data might be at risk and prompts organisations to take precautionary measures.”
Protecting different operating systems is also a challenge for CIOs; Apple iOS does not allow for antivirus solutions and older EOL Apple iPhones and iPads can no longer receive security updates and should never be used on the corporate network.
Morton sees protecting against mobile malware as a four-fold challenge for CIOs:
Physical threat: This is the possibility of physical loss or theft of a mobile device. Or hackers gaining access to the device and installing malicious software.
Network-based threats: When employees use their mobile devices to connect to the corporate Wi-Fi, they have access to a range of resources. This exposes the network to a range of threats and employees are also able to copy information from the network onto their devices which may not be adequately protected.
System-based threats: Manufacturers can sometimes introduce vulnerabilities unintentionally that can compromise devices.
Application-based threats: Malicious applications (malware) can perform operations on the device like compromising or stealing information.
Mitigating the risks
It’s not all doom and gloom and industry experts advise that CIOs who want to reap the many benefits that come from using mobile devices in the workplace need to adopt a multi-layer approach to security, relying on behavioural change as well as technologies.
Alderton suggests updating apps and operating systems on a regular basis; only downloading apps from trusted sources; paying attention to privacy settings on social media apps and sites; setting an automatic lock on mobile devices and not accessing key accounts or financial services when connected to an unsecure public Wi-Fi.
Badenhorst suggests that a security approach to BYOD should consider the following key aspects:
Effectively protecting all points and mobile devices connected to the corporate network: It’s important for a comprehensive security solution to ensure security across the entire network and not just focusing on mobile devices. Failure to do this could cause compatibility problems to arise and cause extra work for the CIO and IT security team.
Managing of mobile devices: It is worth employing appropriately qualified IT security specialists on the team who can provide centralised management of all mobile devices. These skilled employees can ensure all mobile applications are installed, removed and updated via corporate portals.
Dealing with lost or stolen devices: Businesses must develop robust scenarios for how to remove personal devices from the corporate network if they are lost or stolen, or if an employee leaves the company. A procedure should be developed to remove confidential data from these devices and block access to the corporate network.
Education of employees: Staff should be aware of the realities of cybercriminal activity and the need for device security. This can be achieved through an IT security education programme.