October 24, 2016

Mobile Malware Week – Tips for Consumers

While October is typically associated with spooky Halloween costumes and binging on sweets, October also means celebrating European Cyber Security Month. While it doesn’t involve any ghosts and ghouls, security threats are sometimes scary too, so the European Cyber Security Month (ECSM) initiative promotes awareness of cyber security issues and best practices for how everyone can stay safe online.

The last week of October is Mobile Malware Week, so to help raise awareness of mobile malware and give everyone the information they need to avoid it, we’ve partnered with Europol and the National Cyber Security Centre (NCSC) to give you the tips you need to protect yourself from mobile malware.

While mobile malware creators will always find creative ways to try and get their malicious software on your mobile device, there are a few simple ways you can adjust your behaviour to lower your risk of falling victim to mobile malware:

1. Only download from official app stores. If that free version of your favourite app shows up in a third party app store and sounds too good to be true, it probably is. While the app could have the same functionality it promotes, it could be stealing your information, charging you money, or slowing down your phone in the background as you play. It is also a good idea to check out an app’s reviews to make sure that it is credible before downloading.

2. Don’t fall for phishing scams. Phishing is where an attacker tricks you into giving over your personal information or other data the attacker might want. For example, a criminal may send you an email that looks like it came from your bank asking you to verify your password. Trust your instincts. If the request seems weird or oddly timed, head to the company’s official website and contact them directly to confirm if the request came from them. Phishing scams generally give themselves away with bad grammar and spelling, but others can look very realistic.

3. Think before you click. On the small screen of a mobile device, it can be hard to know if a link you’ve received in an email is safe, but clicking on a malicious link could lead you to a phishing scam or to download malware to your device without you knowing. If you receive a link from someone you don’t know, it is best not to click on it. You can always go right to a company’s website to access the webpage. If you notice a website with a spelling error, close it immediately — www.go0gle.com is not the same as www.google.com.

4. Think before you download. Just like you shouldn’t click on a link in an email that comes from someone you don’t know, you also shouldn’t download any attachments from that email, since they could be malicious.

5. Stay up to date. Malware can be used to exploit vulnerabilities in your mobile device’s software. Those software updates you receive from your carrier or manufacturer often include “patches” for these vulnerabilities. Whenever your carrier or manufacturer pushes a software update to your phone, make sure you update as soon as possible.

6. Install a mobile security app. No matter how careful you are clicking on links and downloading apps, sometimes you can accidentally download something you didn’t want. That’s why it’s nice to have a mobile security app, such as Lookout, ensuring all the websites you visit and the apps you download are safe. There’s nothing like peace of mind when it comes to protecting your mobile device and everything on it.

For more detailed tips on staying safe while mobile banking, and protecting yourself from web-based threats and mobile ransomware, check out Europol’s bank of useful assets.

In the spirit of raising awareness during ECSM and helping keep people safe, share this post on Facebook with your family and friends. Not only will you be offering great advice, you could win one year of Lookout Premium! We’ll be picking five winners on October 31st.

October 24, 2016

Mobile Malware Week – Tips for Enterprises

October sees the return of European Cyber Security Month, which is the EU’s annual advocacy campaign that aims to raise awareness of cyber security threats, promote cyber security among citizens and provide up to date security information, through education and sharing of good practices.

This year 24th – 28th October is known as Mobile Malware Week and so Lookout have partnered with Europol and the National Cyber Security Centre (NCSC) to help raise awareness and educate around mobile malware plus provide tips for how to stay safe.

Mobile Malware in the Enterprise

When it comes to mobile, many of the threats facing enterprises are the same as those encountered by consumers. Often, devices are dual function, serving both work and personal interests and the device may or may not be owned by the enterprise. Problems can arise when corporate data finds its way onto devices that are outside the visibility or span of control of the IT team. As users spend more and more of their working day interacting with mobile devices it is essential that business take note, and expand their toolsets and policies to fit.

Mobile Malware – what is it?

Mobile malware is a malicious software specifically designed to attack mobile devices e.g. phones and tablets – set out to harm a device or the data on the device. Attacks can often steal user data, commit financial fraud, negatively impact device performance and more. These threats can be the same as those encountered from a computer, but some malware attacks apps and is specific to mobile. Mobile malware can work in tandem with a computer, or act independently.

Malware Types

Different organisations may have different ways they classify or consider Mobile Malware, but here’s a basic overview:

  • Malware: Apps that steal user data, commit financial fraud, and/or negatively impact device performance.
  • Chargeware: Apps that charge users for content or services without clear notification or the opportunity to provide informed consent.
  • Adware: Apps that serve ads that interfere with standard operating experiences and/or collect excessive personal data that exceeds standard advertising practices.

There are also more granular classifications that include: app droppers, backdoors, bots, click fraud apps, spam apps, spyware, surveillanceware, toll fraud apps, and trojans. You can read more about them here.

Real life examples

Mobile devices attract highly targeted and sophisticated attacks. These are not solely the domain of the PC or network and in fact may take advantage of some of the capabilities of a mobile device, such as GPS and additional sensors. An example was the recent ‘Pegasus’ spyware, one of the most advanced pieces of mobile spyware ever seen by Lookout. Pegasus had the ability to compromise a device with one click, remain silently embedded and then spy on every aspect of the user’s mobile interaction. Pegasus could intercept credentials, contact data, location data, intercept mic and video recordings and steal encrypted messages from a number of popular apps and services.

Interestingly Pegasus exploited several assumptions that are just as common to mobile devices as desktops – existence of unknown or unpatched vulnerabilities, willingness of users to click on unknown links, and over-reliance on existing security mechanisms (MDMs did not detect Pegasus).

A final consideration and a growing concern to enterprises is that even ‘good’ apps may introduce considerable risk. With many apps having the ability to connect to backend services, share data and regularly update themselves, enterprises increasingly need to know how this affects the organisation’s security posture. Having an awareness of apps in use and the ability to analyse the capabilities of those apps is an increasing requirement.

How to stay safe

While it’s true that more native safeguards exist, such as code-signing, app sandboxing and curated app stores, we also see attackers working around these safeguards and going for the weakest links.  This often involves coming up with new and novel approaches to distribute malware.

In order to see what’s happening so you can do something about it, the best approach if to gain visibility into to your mobile fleet – visibility is a necessary component of mobile security. While your employee might not know what they’re downloading, with the right tools, IT administrators can see, almost immediately, that a seemingly innocuous app is actually a threat to corporate data. A mobile security solution will help you do this.

A little awareness also goes a long way, and so it pays to keep you users informed. Check out our consumer blog with some useful tips for end users. Also make sure your IT policy covers mobile and is understandable for end users.

Lastly, have a plan and ensure users know who to contact and how to react in case of a suspected compromise.

For more information, see Europol’s mobile malware guides, plus NSCS (formerly CERT-UK) and Lookout’s Mobile Malware in the UK whitepaper.

October 10, 2016

Google Android security bulletin October 2016: remote code execution vulns continue

The October Android Security Bulletin contains 78 patches for Android devices — 23 more than last month, yet the third highest since Google started releasing the monthly patches. The release reveals more remote code execution (RCE) vulnerabilities, which could allow an attacker to take over a device requiring very little interaction from the victim.

Given the fragmentation of Android, and the slower patch cycles for these devices, mounting RCE issues could spell trouble for individuals waiting for patches and companies whose employees use Android devices.

This is likely one of the reasons why Google is starting to put more pressure on its partners to update Android devices more frequently.  

Read More

October 4, 2016

Microsoft and Lookout: Securing all your endpoints begins today


Today, we are excited to announce that the Lookout Mobile Endpoint Security integration with Microsoft Enterprise Mobility + Security (EMS) is now generally available.

This means that while enterprise employees more seriously consider mobile devices to be an invaluable tool in their everyday working lives, enterprise IT teams don’t have to struggle to secure the rapidly increasing number of endpoints on their networks.

Read More

September 29, 2016

Here’s what I told the U.S. Chamber of Commerce about mobile security


On Tuesday, I had the great pleasure to speak at the U.S. Chamber of Commerce’s 5th Annual Cybersecurity Summit. This premiere event convenes public and private sector leaders around one of our most pressing national security concerns. My presentation focused on how U.S. Government CIOs and security professionals can secure the next frontier for cyber attacks: the mobile device.

Read More

September 21, 2016

Enterprises: Only paying attention to big-name hacks? You may be missing the point


Security professionals are more likely to pay attention to breaches if the companies being breached already have recognizable names.

Seems like common sense. You see a headline that says, “Target point of sale technology hacked,” you’re much more likely to pay attention than, “Hospital in Kentucky suffers from ransomware attack.” Unless you live in Kentucky.

Security teams that do this, however, might be missing the big picture of how broad security incidents are and how they don’t just impact top names — everyone is at risk.

Read More

September 16, 2016

Four spyware apps removed from Google Play


We identified the Overseer malware in an application that claimed to provide search capabilities for specific embassies in different geographical locations. 

Through close collaboration with an enterprise customer, Lookout identified Overseer, a piece of spyware we found in four apps live on the Google Play store. One of the apps was an Embassy search tool intended to help travelers find embassies abroad. The malware was also injected as a trojan in Russian and European News applications for Android.

Google promptly removed the four affected apps after Lookout notified the company. All Lookout customers are protected from this threat.

Current variants of Overseer are capable of gathering and exfiltrating the following information:

  • A user’s contacts, including name, phone number, email and times contacted
  • All user accounts on a compromised device
  • Basestation ID, latitude, longitude, network ID, location area code
  • Names of installed packages, their permissions, and whether they were sideloaded
  • Free internal and external memory
  • Device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user
  • Whether a device has been rooted in one of several ways

Read More

September 8, 2016

Former CSO of AT&T, Dr. Edward Amoroso, talks mobile attackers and how enterprise security teams should innovate



Dr. Amoroso is a former SVP and CSO of AT&T. He is currently on the board of M&T Bank and the CEO of TAG Cyber, which has just released the 2017 TAG Cyber Security Annual, a comprehensive reference guide for cyber security professionals.

Read More

September 2, 2016

Update: Lookout re-airing on 60 Minutes

Screen Shot 2016-04-17 at 5.34.59 PM

Updated 9/2/2016: The segment will re-air on 9/4/2016. Interested in getting more in-depth information on our attack demonstrations? Read about how we did the Wi-Fi attack here and the mobile malware attack here

Tonight, 60 Minutes featured Lookout co-founder John Hering and a number of other well-known and respected security researchers demonstrating mobile attacks.

Read More

September 2, 2016

Pegasus and Trident: Your questions answered

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Pegasus is a highly sophisticated piece of spyware that uses three previously unknown vulnerabilities called “Trident.” When strung together, these three vulnerabilities would allow an attacker to break out of the browser sandbox, jailbreak the device, and install the spyware. From there, the spyware can turn on the camera and mic, intercept text messages, and alter the existing apps on the device to spy on any encrypted or unencrypted data.

This is the most sophisticated mobile attack we’ve seen yet and marks a new era of mobile hacking.

In order to keep you informed about this ongoing, and concerning problem, we’ve pulled together answers to the top questions we’re receiving from security professionals.

Consider this your official hub for all things Pegasus and Trident. Read on.

Read More