This month is National Cyber Security Awareness Month. Each week within October will take on adifferent theme, with this week's being 'Mobile'. So, with that in mind, we thought we'd prepare some tips to help keep your smartphone safe.
Top 5 threat protection best practices
Trend Micro predicts that there may be as many as a million Android malware threats by the end of the 2014. What's going on here? Make no mistake about it, there are REAL ANDROID MALWARE PROBLEMS. (Credit: Juniper Networks) Part of it is that Android is being targeted because it's extremely popular. The research company Canalys found that Android is running on 59.5 percent of all smart mobile devices that were shipped in the first quarter of 2013.
YES, YOUR SMARTPHONE CAMERA CAN BE USED TO SPY ON YOU...
Yes, smartphone cameras can be used to spy on you - if you're not careful. A researcher claims to have written an Android app that takes photos and videos using a smartphone camera, even while the screen is turned off - a pretty handy tool for a spy or a creepy stalker.
Free Security Scans - Find threats your antivirus missed
Malware is complex, seemingly everywhere and is often difficult to stop. It knows how to find your data,even on your mobile device and Mac. You can't ignore your the safety of your devices any longer: you need to recognize and stop these threats before they do MORE harm.
MALWARE ATTACKS ON ANDROID DEVICES SEE 600% INCREASE IN 2016 / 2017
Malware targeting the Android platform is exploding, with a 600 percent increase in just the past 12 months. That statistic is among the findings of a new study--Mobile Security Threat Report--unveiled last week at the Mobile World Congress in Barcelona, Spain.
Malicious websites offering Android versions of Fortnite downloads have been discovered already, just days after the game was officially launched as a beta outside of the Google Play Store.
Developer Epic Games had already announced the game would not be available through Google Play, in a move that avoids it having to pay Google’s 30% cut on all purchases made, and instead provides the game as a download through its own website.
In a Wired report, the publication found seven websites advertising Fortnite for Android, all of which were then identified to carry malware by security experts Lockout. Upon investigation, the most common malware fools downloaders into visiting websites loaded with ads, on the promise of a code or opportunity to download the Fortnite game.
It’s also pointed out that before Google and Bing responded to complaints, the top search result for an Android version of Fortnite led not to the official version, but one loaded with malware.
Lookout’s Christoph Hebeisen told Wired why Fortnite not being available in the Google Play Store makes it interesting:
“When we are looking at fake apps that pretend to be a particular game, and that game is available on the Play Store, there’s a fairly high barrier for people to download that game from somewhere else, because they know that’s not a legitimate source.”
Fortnite does not have this safety barrier, and the consequences are already evident.
No device is safe from criminals looking to make it stealthily mine cryptocurrency for them. However weak its processing power is, it still costs them nothing.
With that in mind, forced crypto mining attacks have also begun hitting mobile phones and tablets en masse, either via Trojanized apps or redirects and pop-unders.
An example of the latter approach has been recently documented by Malwarebytes’ researchers.
The attack
“In a campaign we first observed in late January, but which appears to have started at least around November 2017, millions of mobile users (we believe Android devices are targeted) have been redirected to a specifically designed page performing in-browser crypto mining,” the researchers shared.
The number might be even higher than that, as they believe that some of the browser-hijacking domains remain undetected for now.
The attack goes like this: users are redirected via malvertising chains to malicious websites. In this particular campaign, Internet Explorer and Chrome users were directed to sites serving tech support scams, but Android users were delivered to a crypto mining page:
Interestingly enough, the page says that the browser will mine cryptocurrency until the user proves that he or she is human by solving a CAPTCHA. But the warning and the test are bogus – they are just a way to make the forced mining acquire a whiff of legitimacy.
How widespread and effective is this scheme?
The researchers identified several identical domains all using the same CAPTCHA code but using different Coinhive site keys in the mining script.
Two of these domains have received over 66 millions of visitors since November 2017, and they estimate that the traffic combined from the five domains they identified so far equals to about 800,000 visits per day, with an average time of four minutes spent on the mining page.
How much Monero could this operation yield, you wonder? It’s difficult to say, exactly.
“Because of the low hash rate and the limited time spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over,” the researchers noted.
They also pointed out that, while these devices are less powerful than desktop computers, there is also a much greater number of them out there. Add to this the fact that many users don’t bother installing security apps on their smartphones and tablets, and you have a recipe for low-effort, long-term and widespread stealthy crypto-mining.
Advice for users
“While Android users may be redirected from regular browsing, we believe that infected apps containing ad modules are loading similar chains leading to this crypto mining page. It’s possible that this particular campaign is going after low-quality traffic—but not necessarily bots —and rather than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner,” the researchers said.
If you’re an Android user and you’ve started seeing these bogus pages on the regular, chances are one of the apps you recently downloaded is the culprit. Uninstalling it should fix the problem unless it has some kind of persistence mechanism.
In general, it is a good idea to install a reputed security solution on your device to check for malicious code and behavior each and every app you download and install.
A new study has been conducted and released by Free Adblocker Browser (FAB), which is a mobile browser option for Android devices. This browser has a built in ad blocker, and they were looking to learn what types of things prompt users to start blocking services. With this in mind, they surveyed US consumers to discover their reasoning.
One survey option that was asked was, “Publishers need to make money – either by showing ads or by asking for users’ payments.” To this, 55.9% said that they agree, 12.5% said they strongly agree, 21.1% do not agree, and 10.5% strongly disagree. This may be a cause for some concern. If more than 31% of all users believe that publishers do not need to make money, it reveals an obvious misunderstanding of how the Internet works and where all the content is coming from.
The survey also looked at what types of ads people dislike the most. 49.8% said that pop-ups were the worst, 20.2% said non-skippable video ads, 10.6% said auto-play video ads, and 9.4% said banner ads. It is understandable that some people don’t like the auto-play ads, given that it can eat into data plans without any benefit to the users.
One other interesting point that came from the survey is that while 68.4% of participants said that they know that high-quality content takes time and money to produce, 60% of them said that they do not subscribe to any sites that offer premium content.
As ad blocking becomes easier and easier, many brands and marketers are going to have a hard time getting their message out.
Appthority, the enterprise mobile threat protection company, announced news on Thursday (Nov. 9) that it published research on its recent discovery of a so-called Eavesdropper vulnerability, in which hackers can intercept texts, voice messages and other user data from millions of smartphones through their mobile apps.
In a press release, the company said the cyberattack vulnerability is caused by “developers carelessly hard coding their credentials in mobile applications that use the Twilio Rest API or SDK, despite best practices the company clearly outlines in its documentation.” Twilio, said Appthority, has reached out to all developers with affected apps and is actively working to secure their accounts.
According to the company, Appthority mobile security researchers have identified this as a real and ongoing threat affecting close to 700 apps in enterprise mobile environments, over 170 of which are live in the official app stores today. Affected Android apps have been downloaded up to 180 million times, the company said.
What’s more, the company said the issue is not specific to developers who create apps with Twilio. Hard coding of credentials is a common developer error that increases the security risks of mobile apps. Appthority researchers are finding that developers who hardcode credentials in one service are likely to make the same error with other services.
Examples of apps with the Eavesdropper vulnerability include an app for secure communication for a federal law enforcement agency, an app that enables enterprise sales teams to record audio and annotate discussions in real-time and branded and white label navigation apps for customers, such as AT&T and U.S. Cellular, the mobile threat protection company stated in its press release. “Eavesdropper poses a serious enterprise data threat because it allows an attacker to access confidential company information, which may include a range of sensitive information often shared in an enterprise environment, such as negotiations, pricing discussions, recruiting calls, product and technology disclosures, health diagnoses, market data or M&A planning,” said Seth Hardy, Appthority director of Security Research in the release. “An attacker could convert recorded audio files to text and search a massive data set for keywords and find valuable data.”
The ubiquity of mobile devices leaves organizations open to new risks, new vulnerabilities and new threats. Mobile security best practices for the enterprise need to start with a comprehensive analysis of the risks—which can come from unexpected new directions.
The new Spectrum of Mobile Risk report from Lookout lays out how enterprises should approach risk assessment in the mobile world. Using the Mobile Risk Matrix, enterprise security leaders can easily assess the risks to the mobile apps, devices, networks and content within their enterprise—the vectors through which enterprise data can be exposed to risk.
Let’s take a closer look at some examples in the Spectrum of Mobile Risk.
Network-Based Risks
Network-based attacks are a real problem. Lookout found that almost 1% of enterprise devices encountered a network-based threat, such as a man-in-the-middle (MITM) attack, in the past year. That may not sound like a big number, but if you have more than 100 employees using devices, it means it’s likely that your company will be subject to a MITM attack.
App-Based Risks
Similarly, employees may install apps that access more information than they realize. In order to enable an app to function, app developers often ask for a wide range permissions on the device, accessing and sometimes transmitting data including photos, documents, contact lists and messages. Often, such access may not be compliant with the enterprise’s risk policies as it pertains to sensitive enterprise data.
Lookout has a unique view into the mobile ecosystem because of the over 100 million devices from which we are able to collect security data. Lookout has obtained and analyzed over 40 million unique mobile applications and acquires up to 90,000 apps every day.
Looking at this data, we determined that 30% of iOS devices used in the enterprise contain apps that have the ability to read contact information on the device. Seventy-five percent of apps have access to the camera, and 43 percent have access to Facebook. Data left unprotected in this way could cause headaches for internal security and compliance teams.
Device-Based Risks
Once an attacker compromises a device, he can get access to any app or other piece of data, encrypted or not. For example, an exploit such as the highly sophisticated, targeted threat Pegasus had device-level access and was able to see all activity on the infected phone and siphon off large quantities of valuable and sensitive information. Pegasus waited until the apps eventually decrypted data in order to display it to the end user.
Attackers who are able to compromise the device are also able to achieve much stealthier spying operations. Because malicious apps often do not have the same permissions as a device-level attack, they sometimes set off alerts on the phone when accessing the camera, microphone or other elements. With a device compromise, an attacker can silently manipulate the smartphone without any indication to the user that something is wrong.
Phishing attacks are one of the main ways attackers are able gain entry into the enterprise. By coordinating any of the above vectors, an attacker could gain enough information to impersonate an employee and gain deeper access into a system. Phishing campaigns executed via SMS messages are an example of a web and content threat.
Using the Spectrum of Mobile Risk & Mobile Risk Matrix to Protect Your Business
The risks are real. So how can enterprises respond effectively? We recommend conducting a matrixed analysis of the risks your enterprise actually faces.
First, consider the Mobile Risk Matrix, specifically the threats, vulnerabilities and risky behaviors and configurations within each vector. These components of risk, matrixed with the threat vectors, allow you to conduct a more complete and nuanced analysis of your enterprise risk profile.
For example, Lookout analysis of anonymized customer data reveals that over the course of two quarters, 47-out-of-1,000 Android devices in the enterprise encountered app-based threats, or malicious apps that could steal data, take over devices or give access to attackers. That’s an app-based threat; if you allow employees to use Android devices and they have free rein to install apps, your organization needs to be aware of this risk and take steps to mitigate it.
In our next blog post, we’ll discuss how enterprises can address the Spectrum of Risk through a comprehensive approach using both mobile management and threat defense tools to find and remediate threats as they happen. For more information and additional details on each component of the matrix, download our free, one-page Mobile Risk Matrix.
As chief product officer at Lookout, Santosh Krishnan oversees all Lookout’s predictive security solutions that protect individuals and enterprises alike from mobile attacks. Santosh is responsible for the ongoing development of Lookout Mobile Endpoint Security, providing enterprises with comprehensive risk management across iOS and Android devices to protect against app, network and device-based threats while providing visibility and control over data leakage. With a background in both product management and venture capital innovation, he and his team focus on how to protect against current security threats, while creating security to better prepare for the future.
As chief product officer at Lookout, Santosh Krishnan oversees all Lookout’s predictive security solutions that protect individuals and enterprises alike from mobile attacks. Santosh is responsible for the ongoing development of Lookout Mobile Endpoint Security, providing enterprises with comprehensive risk management across iOS and Android devices to protect against app, network and device-based threats while providing visibility and control over data leakage. With a background in both product management and venture capital innovation, he and his team focus on how to protect against current security threats, while creating security to better prepare for the future.
