Mobile devices have rapidly become ground zero for a wide spectrum of risk that includes malicious targeted attacks on devices and network connections, a range of malware families, non-compliant apps that leak data, and vulnerabilities in devices operating systems or apps.
Just as the PC radically changed the way we operate as a society, now it's mobile that's transformed our lives and work. In Botswana, for example, it has been reported that mobile penetration has surpassed 170%. Speaking during the official opening of the World Telecommunication/ICT Indicators Symposium held in Gaborone, Botswana Communications Regulatory Authority (BOCRA) Chief Executive, Thari Pheko said the country’s communications sector is steadily developing, particularly the mobile communication sector.
This change from PC to mobile has created a perfect storm - mobile devices with increasing amounts of sensitive data operating in an ecosystem where malicious code, malicious networks, and compromised operating systems are proliferating wildly.
While Apple and Android have made strides in creating more secure and robust operating systems, malicious actors continue to pump out new and more deceptive malware. What’s more, security is still not a top priority in app design, with some apps allowing users to store or pass credentials in the clear or by using weak encryption. “That’s still going on and it shouldn’t be,” says John Shier, senior security advisor at Sophos.
Couple those weaknesses with the ubiquity of mobile devices in the workplace and the proliferation of BYOD (Bring Your Own Devices) without sustainable BYOD policies, and you’ve got the perfect recipe for mobile attacks on the enterprise.
Almost half of information workers today are using bring-your-own laptops, 68 percent are using their own smart phones, and 69 percent are bringing their own tablets at work, according to Forrester’s annual security survey. “Obviously, the risks are high, especially when you look at all the corporate data that’s held on these devices, such as customer information, intellectual property, contracts, competitive data and invoices,” not to mention the potential access to corporate networks themselves, says Chris Sherman, Forrester senior analyst. With such close proximity to corporate network access, voice activation and GPS tracking, state actors are looking at ways to infect mobile devices with spyware. The tactic has proven successful on both iOS and Android devices.
In August 2016, Pegasus spyware was released, capable of hacking any iPad or iPhone to harvest data about and conduct surveillance on the victim. Researchers also uncovered three iOS 0-day vulnerabilities that, when exploited formed an attack chain that subverted even Apple's strong security environment. Apple quickly fixed all three Trident iOS vulnerabilities in its 9.3.5 patch.
By April 2017, malware authors struck again. This time on a Pegasus spyware version for Android that masquerades as a normal app download, while secretly gaining root access to a device to do broad surveillance on the user over time. Since then, Google has bolstered security measures, including Play Protect security within the Play Store.
A recent example of ransomware targeting mobile devices was Charger; found in 2017 and bundled with EnergyRescue. The malicious snooping app was briefly available on Google Play and targeted Android devices before being pulled. Charger demanded 0.2 Bitcoins & threatened to sell the victim's personal information on the black market if the ransom was not paid.
Last Thursday, 21 September, 2017, researchers at MalwareHunterTeam, a research group focused on ransomware, spotted the software, called nRansomware. The perverse twist to this particular ransomware is that instead of demanding payment in money, the attackers are requesting nude photos to decrypt the mobile device. The researchers suggest that this could be a prank as there is no evidence of the ransomware actually encrypting files.
Look out for our next posting providing mobile safety & privacy tips.