It really is a great time to be a mobile threat. With mobile devices becoming more important than ever in our daily lives, hackers are exploiting a hidden point in the surface of an enterprise attack.
The rise of the mobile device
In the past, data, endpoints, and users may have been restricted within the office. However, mobile devices, BYOD systems, and remote work have made it difficult to fit enterprise IT.
Mobile devices are now central to enterprise IT. Even as far back as Zimperium’s 2019 Enterprise Mobile Security State In the report, 60% of enterprise endpoints are mobile devices. Moreover, 80% of the daily work is performed on a mobile device.
Whether issued by the company, purely personal, or part of the BYOD program, mobile devices often sit outside the company’s security controls and are used by users who are not security-minded.
The pirate sees an opportunity. Although cybercriminals often focus their efforts on traditional endpoints, mobile devices have drifted right into their own collision points.
While many believe that mobile devices are more secure than traditional endpoints, this seems less relevant to the record number of security patches being produced each year and with each new iteration of mobile-based malware, malicious networks, and mobile phishing attacks. Cybercriminals are actively looking for ways to exploit these vulnerabilities.
Where good mobile devices become bad
Mobile threats often originate from app stores, where many types of mobile malware hide as legitimate apps. Often these are unofficial app stores, which are outside the audits of Google or Apple. These apps can also be sideloaded directly from the developers’ websites which also circumvent the app store protection.
While the security controls of official app stores are stronger, attackers have found innovative ways to bypass scrutiny, including using apps as a weapon after they are deployed. Last year we found a malicious app on Google Play called Grifthorse, which would surreptitiously subscribe its users to unwanted services, and charge them €36 per month. Google immediately removed the apps, but not before the attackers stole at least 10 million euros from their unsuspecting victims.
As Sun Tzu once said: “There is no place where it is not possible to spy.” And spyware perfectly embodies this statement. The spyware turns a personal mobile device into a corporate spy bug as soon as it enters an office in someone’s pocket.
Spyware has been around for decades, but the best example of this is Pegasus. The victims of Pegasus are alleged to include members of the Gulf royal family, French President Emmanuel Macron, the US State Department and Amazon founder Jeff Bezos. Pegasus appears to have offended thousands of journalists, activists, businessmen, government officials and ordinary citizens. While Pegasus has been revealed, it’s just the tip of the iceberg.
Last year, we discovered a piece of spyware called PhoneSpy. We found that it targets South Korean citizens and masquerades as a suite of lifestyle apps. When infected, PhoneSpy can download data from the phone and remotely control the phone’s camera and microphone while hiding its presence from the victims. We discovered 23 apps loaded with PhoneSpy, secretly monitoring thousands of victims. The truth is that there could be up to 20 families of enterprise-grade spyware in the wild, and they monitor a variety of organizations, businesses, and individuals without notifying them.
Defense against mobile threats
Enterprise computing is now mobile. It makes up a large part of an enterprise’s attack surface. It’s a vector we all keep in our pockets, wherever we go. Threat actors are now using this obfuscation of personal/professional discrimination to exploit companies by stalking the personal devices of their employees.
This condition has become entrenched in the past few years. Mobile devices and remote capabilities have been key to ensuring business survival during the global pandemic. In our personal lives, we all rely more on our mobile devices to entertain ourselves and keep in touch with our dispersed social circles.
Digital transformation has boomed in the past 18 months. McKinsey estimates that adoption rates have accelerated by three years since the pandemic began. Mobile and group remote work is likely to become a feature built into post-pandemic work.
To secure this largely unrecognized carrier, organizations can look to defend against mobile threats. When combined as part of a no-trust approach, MTD technology can scan the security of individual mobile devices, alerting an organization to threats and blocking access. It can ensure that the device is not infected, jailbroken, or hacked and protects corporate data if a threat arises.
Mobile devices are now an essential part of the enterprise attack surface. They reach well beyond most enterprise security controls, often without the owners understanding. The attackers recognized this, even if the companies did not.