Most people love how their smartphone can provide a single point of access to their personal information, financial data, medical records, photos, videos and gaming apps, as well as work-related email, calendars, documents and other business and professional resources. Unfortunately, hackers and online thieves love smartphones as well, particularly because the easy access that these phones provide can be used to their advantage.
Unlike the heavily protected corporate network perimeter, employee smartphones are often more vulnerable. As a result, security experts report, the bad guys are targeting them as a convenient entry point for digital theft and business disruption. From there, hackers can access critical corporate and organizational information that can be hacked and stolen or locked down and held for ransom, ultimately generating substantial profits.
To facilitate this activity, these malicious actors are increasingly using mobile smartphone applications containing malware. “Apps are the new battleground,” said Jewel Timpe, senior manager, HPE Security Research at Hewlett-Packard Enterprise and one of the authors of the 2016 Hewlett-Packard Enterprise Cyber Risk Report.
Malware attacks involve downloading a software application—often something seemingly innocuous, like a game or flashlight app—that contains hidden code. This can allow hackers to take control of a digital device for a criminal objective, such as the theft of corporate or personal information or passwords that can then provide access to a company network, a bank account or medical records. Not all malware-laden apps are written with malicious intent. Some come with deliberate vulnerabilities in their coding or construction that can be exploited at a later time, while other benign apps without any apparent vulnerabilities are analyzed by malicious third-parties for security flaws, which are then exploited as the foundation of a future attack, known as a zero-day.
No matter the developer’s intention, the resulting threat is quickly becoming a widespread problem. “By the end of 2015, we saw in the app stores around the globe that approximately 10% of the 120 million mobile apps out there were infected with malware,” said Bruce Snell, cybersecurity director at Intel Security and one of the authors of the McAfee Labs 2016 Threats Predictions report.
Snell also noted that the number of unique kinds of malware jumped from six million at the beginning of 2015 to just over 12 million by the end of the year, and the category of malware specifically targeting mobile phones has seen dramatic growth. Timpe agreed, saying, “The mobile app space is really a wild, wild west where anyone can go and build an app, and that puts everyone who downloads that app at risk. Seventy-five percent of the mobile apps we scan have a critical vulnerability and that vulnerability could be an easy way for malware to be attached to that app.”
As the number of smartphone and tablet users grows, mobile malware is expanding its reach. Hewlett-Packard reports that more than 10,000 instances of new malware, threats and unwanted applications targeting the Android system are discovered daily, while Apple—previously considered impervious to malware due to its carefully guarded App Store—experienced the first major compromise of iOS applications in 2015. More than 4,000 legitimate apps were impacted after developers unknowingly used a maliciously modified version of Apple’s Xcode development tool.
Combined with the growing threat from ransomware, this has expanded the mobile malware risk landscape. Ransomware—malware designed to block access to a company’s data until a ransom is paid—has proven highly profitable, with many organizations agreeing to payouts. One ransomware package in particular has attacked hundreds of thousands of users worldwide and reaped $325 million in profit. Because of its success, Chris Elisan, chief data scientist at RSA Security, predicts an increase in the frequency of such attacks.
Malware Risk Factors
According to security analysts, many factors are making mobile apps a greater risk for corporate networks. One is the growth in the usage of smartphones and tablets coupled with the Bring Your Own Device (BYOD) phenomenon, in which employees access work data via their personal devices. “With the advent of BYOD and the global nature of mobile malware, we’re seeing an increase in overall network vulnerabilities,” said Siobhan MacDermott, a principal with EY’s cybersecurity advisory practice. This is because the devices used to access company data are the same devices on which employees are downloading potentially risky apps from third parties for personal use.
Other experts cite the poor construction of apps themselves as a risk factor, including the apps that companies build internally. Such apps are designed with good intentions, but are compromised when malware is embedded in the open source code libraries that many developers rely on. This can also impact an organization’s customers. According to an IBM-sponsored study by the Ponemon Institute, nearly 40% of companies do not scan their own mobile apps for security vulnerabilities.
Smartphone malware has also become a booming business due to the uptick in prices people are willing to pay to buy it. iOS-compatible software, for example, can fetch upwards of $1 million on the black market, according to Damon McCoy, professor of computer science at the New York University Tandon School of Engineering. “There is an entire marketplace for these types of malware,” he explained. This market is also developing to include prepackaged software-as-a service, which can be purchased by those who want to distribute malicious software without having to actually build it, making it easier and faster to initiate attacks and infect more devices.
Malware attacks are also growing more sophisticated. Last year, hackers identified the Stagefright security flaw, which allowed them to send malware to Android phones via text message. All it took to hack a phone was a single message—no clicking of links or downloads. Google ultimately provided patches, but not before a billion phones were infected.
MacDermott also noted a rise in mobile malware that targets individual executives and board members, allowing hackers or those engaged in corporate espionage to extract valuable information in a much shorter period of time. “We’re observing the personalization of malware, targeting top executives as opposed to broadly sending out emails to many employees hoping that someone clicks on a link,” MacDermott said. In addition, experts are seeing more polymorphic malware—malware with code that constantly changes its appearance in order to avoid detection by antivirus scans.
Mitigating Malware Risk
To prevent the onslaught of mobile malware, Liviu Arsene, senior e-threat analyst at Bitdefender, recommends that companies have a security policy regarding all devices connected to the company network, including mobile phones. “Such policies should restrict users from downloading apps and ensure that employees do not jailbreak or root their device, which would allow them to make system modifications that could allow for cyberattack,” he said.
Firms also need to be strict about enforcement in order to control what is being accessed within the network, by whom and at what time. It is critical to have security software installed on all mobile devices. If possible, companies should ask employees to make use of one phone for business purposes and another for personal use—the ideal set-up from a security perspective—to reduce risk. If an organization is not able to issue a dedicated company phone, it should turn to technology that allows for data isolation on the device itself, with one virtualized profile for personal use and another for work.
Other techniques include trying to quarantine and isolate less-trusted devices on a separate network and using monitoring and detection tools that constantly look for malware and can thus more quickly identify an attack.
MacDermott favors a layered security approach that includes using behavioral analytics on both the network and mobile side to study smartphone habits in order to identify any malware activity. Arsene recommends a mixture of signature-based security, heuristics and machine learning capabilities to help anticipate cyberattacks, while Elisan advocates an algorithm-based approach that can detect malware that may be changeable or hard to identify.
Overall, user behavior remains a key vulnerability. “A lot of security efforts involving smartphone apps come down to the education of employees who need to understand that, with every app download, they are adding layers of risk to the network,” MacDermott said.
To assist in their malware and cybersecurity defense efforts, companies can now call upon associations that allow security professionals to share information and develop standards and best practices for information-sharing, such as the Cyber Threat Alliance, formed by Intel Security, Palo Alto Networks and Symantec, and the Apiary, a threat intelligence and malware analysis system operated by security specialists at the Georgia Tech Research Institute.
“The advantage of a standard data structure for the sharing of cyberthreat information—including information about malware—is that it allows you to build automation tools,” Snell said. “We don’t always have people available to monitor 24/7 and so, in the future, we will rely heavily on automation.”
Regardless of the tools and techniques designed to prevent malware infections, analysts believe that the proliferation of smartphones and other mobile devices means that the impact of app risk and mobile malware is only going to grow. “Everything is going mobile now,” Elisan said. “As more and more new mobile devices keep getting connected to the network, malware will never be far behind.”