The threat situation for enterprise security is more volatile than ever before: the dynamism with which mobile devices create new mobile risks and take up known threats in new forms is immense. The conclusion of 2018: mobile ransomware that increasingly attacked companies, a dramatic rise in banking Trojans, fake apps and droppers as universal vehicles.
Data extraction through legal apps
9.9 million smartphone users were hit by mobile malware in 2018, according to Kaspersky. Mobile malware is a collective term for apps that cause damage to the owner of the respective smartphone. The boundaries are blurred: it doesn’t always have to be ransomware that takes the smartphone hostage. For some managers, the topic of enterprise security or cyber risk starts with Facebook or WhatsApp.
And not without good reason. Around two thirds of all apps offered in the official app stores of Google and Apple have the ability to “exfiltrate data” – they extract data from the user’s smartphone. With the user’s consent, but usually without their knowledge. The basis for this: page-long terms of service or terms and conditions that hardly any user ever reads through. In an app society in which speed and ease of use of services are of immense importance, we all click on “Agree” to confirm a bundle of terms and conditions that we are generally not even aware of. We agree in passing that the app will have access to data and services that are not absolutely necessary for its functionality. We “pay” to use the (free) app by giving it access to our data. Security experts see this unwanted data leakage as the biggest, because most widespread, security threat to companies.
Legitimate app, legitimate data extraction – by giving their consent, users agree to this. And ultimately becomes responsible. For a private smartphone, app behavior may be acceptable; in a business environment, it can be very costly to undermine enterprise security through mobile risks in light of legal regulations such as the GDPR. It doesn’t matter whether the device in question is a BYOD device or one provided by the employer – if business data is stored on the device, it must be secured accordingly.
Attack vector number one: apps
Loss or theft of smartphones, insecure networks – experts are aware of three main attack vectors when companies rely on mobile productivity: The device itself, the networks that allow access to company resources and the apps. Apps are and remain the main attack vector. This is where the greatest and most frequent mobile risks arise. The risks for companies start with legal services. Not only do they – as described above – extract data with the user’s consent. Studies show that the majority of available official apps have weaknesses in their code that make them vulnerable to attacks. iOS is only marginally better positioned than Android in this respect.
Mobile risks due to malware
Alongside these two risks inherent in legal apps is genuine mobile malware. In particular, users who obtain apps outside the official stores significantly increase the risk potential for their company. These apps do not pass through the security checks of the major app store providers. Criminals have recognized this opportunity and are therefore increasingly relying on SMS and messenger apps instead of email to advertise their malware and enable users to download directly from unsecured sites.
The good news: interest in cryptominers (cryptojacking) declined significantly in 2018 – partly because there is no longer as much money to be made with cryptocurrencies. The number of mobile apps distributing adware also fell slightly. With adware, the mobile device is mostly used to generate clicks on advertising banners. The World Federation of Advertisers estimates the damage caused to the advertising industry by this type of false clicks on advertisements at 19 billion US dollars every year.
A look at current analyses shows that 2018 was dominated by four types of malware: Droppers, mobile ransomware, banking Trojans and fake apps.
Dropper
According to Kaspersky, droppers are the tool of choice for cybercriminals who specialize in mobile malware. Droppers are a kind of means of transportation to hide the actual malware. They become a Pandora’s box: any type of malware can “fall out” of it. Droppers act as a protective shield that prevents the malware from being detected. They constantly generate new hashes to fool detection software, while the actual malware code inside the dropper remains unchanged. In addition, droppers allow the creation of any number of files. Virus developers exploit this, for example, to deploy their platforms in fake app stores.
Mobile ransomware
Mobile ransomware is not a new topic. While the number of ransomware infections declined overall, the number of mobile ransomware infections rose by around a third in 2018 compared to the previous year. It is worth noting that mobile ransomware attacks are now increasingly targeting companies. Over four-fifths of ransomware infections affected companies.
Banking Trojans
Banking Trojans experienced a boom in 2018. The volume of banking Trojans detected rose by 1500 percent. Banking Trojans pretend to be official apps that take care of the user’s financial transactions. In reality, they spy on the user and capture the credentials they use for their financial transactions. They can also automatically install other malware on the smartphone, including keyloggers and additional spy apps. As a result, banking Trojans also create risks for the company.
Fake apps
The McAfee analysts recorded an even greater increase in fake apps. Fake apps are a type of malware that imitates popular apps. In 2018, it was the popularity of Fortnite that encouraged cybercriminals to produce fake apps. The use of the same images, identical music and the same loading screen made the clones very convincing. However, it was not the expected app that was installed, but an app from an insecure source. The user is tricked into believing that a new beta version of Fortnite has failed to install and is merely redirected back to the official AppStore. Meanwhile, the app that has actually been loaded is hidden in the background and can install other apps or leak data from there.