Today’s advanced mobile devices are well integrated with the Internet and have far more functionality than mobile phones of the past. They are increasingly used in the same way as personal computers (PCs), potentially making them susceptible to similar threats affecting PCs connected to the Internet. Since mobile devices can contain vast amounts of sensitive and personal information, they are attractive targets that provide unique opportunities for criminals intent on exploiting them. Both individuals and society as a whole can suffer serious consequences if these devices are compromised. A multitude of threats exist for mobile devices, and the list will continue to grow as new vulnerabilities draw the attention of malicious actors. This article provides a brief overview of mobile device malware and provides information on the following threats to mobile devices:
- Social engineering;
- Exploitation of social networking;
- Mobile botnets;
- Exploitation of mobile applications; and
- Exploitation of m-commerce.
Malicious actors have created and used malware targeted to mobile devices since at least 2000. Malware campaigns having targeted users on the Google Play stores almost since its inception. From the very first banking Trojan on Google Play, dubbed Droid09, to the latest ad-click fraud/Bitcoin-mining latent apps that plague the store week after week today. The Google Play store is under siege. What has changed over the years is the growth in the number of infected devices, which now typically can reach into the millions as we discover new aggressive campaigns.
2017 has also seen mobile banking Trojans delivered as fake updates or through targeted email or SMS phishing. But the most sophisticated so far has been the Android/LokiBot malware, which takes all the functions of Android/Marcher and adds crypto ransomware capabilities, among other malicious activities. It can encrypt files and lock devices, send phony notifications to trick users to open their online banking apps, and even allow the attacker to impersonate the victim’s IP address for use in other fraudulent activities. Android/LokiBot has targeted more than 100 financial institutions around the world.
One of the more common methods of spreading malware on the Internet is through social engineering. Most malicious activity is often successful because users are deceived into believing it is legitimate.Phishing is the criminal act of attempting to manipulate a victim into providing sensitive information by masquerading as a trustworthy entity. This technique is a well established, significant cyber threat, and mobile devices provide unique opportunities for phishing, including variants such as vishing and smishing. Smishing is a form of social engineering that exploits SMS, or text, messages. Text messages can contain links to such things as web pages, email addresses or phone numbers that when clicked may automatically open a browser window or email message or dial a number. This integration of email, voice, text message, and web browser functionality increases the likelihood that users will fall victim to engineered malicious activity.
A botnet is a set of compromised computers, or bot clients, running malicious software that enables a “botherder” or “botmaster” to control these computers remotely. A botherder or botmaster can design a botnet to perform certain actions, such as information stealing or launching a denial of service, and issues commands to the bot clients from a command and control (C2) server. Since mobile networks are now well integrated with the Internet, botnets are beginning to migrate to mobile devices.
The user’s limited awareness and subsequent unsafe behavior may be the most threatening vulnerabilities for mobile devices. It is critical to understand that a mobile device is no longer just a phone and cannot be treated as such. Unlike the previous generation of mobile phones that were at worst susceptible to local Bluetooth hijacking, modern Internet-tethered mobile devices are susceptible to being probed, identified, and surreptitiously exploited by hackers from anywhere on the Internet. Many mitigation techniques for mobile devices are similar to those for PCs. US-CERT recommends the following best practices to help protect mobile devices:
- Maintain up-to-date software, including operating systems and applications;
- Install anti-virus software as it becomes available and maintain up-to-date signatures and engines;
- Enable the personal identification number (PIN) or password to access the mobile device, if available; Encrypt personal and sensitive data, when possible;
- Disable features not currently in use such as Bluetooth, infrared, or Wi-Fi; Set Bluetooth-enabled devices to non-discoverable to render them invisible to unauthenticated devices;
- Use caution when opening email and text message attachments and clicking links;
- Avoid opening files, clicking links, or calling numbers contained in unsolicited email or text messages;
- Avoid joining unknown Wi-Fi networks; Delete all information stored in a device prior to discarding it; and Maintain situational awareness of threats affecting mobile devices.
- Users must ensure that any exchange of information occurs between their intended parties
Anti-virus software exists for some mobile devices, which is one component of a layered defense. However, it can only assist in protecting against known threats. Users need to understand the threats and proactively take steps to avoid them. A high degree of vigilance is necessary to successfully prevent and mitigate future threats to mobile devices.
US CERT , Technical Information Paper-TIP-10-105-01 Cyber Threats to Mobile Devices https://www.us-cert.gov/sites/default/files/publications/TIP10-105-01.pdf
McAfee Mobile Threat Report Q1, 2018