At the beginning of the year, Justin Somaini gave his cybersecurity colleagues a call to arms that cited the rising threat of mobile malware. “We're now free to work on any device, in any location, and with anyone around the world,” the chief trust officer for Box, the Los Altos, Calif.-based cloud computing giant, wrote in his mid-January blog post on the company's website. “The gains from these new technologies have been massive, from life sciences companies advancing drug research to manufacturers working with a global supply chain. But these benefits have come with a cost.”
Somaini, who held top IT security spots at Yahoo, Symantec and Verisign before coming to Box, sees the current and growing issue of malware on corporate mobile devices as a top concern for his fellow cybersecurity officers: “If we look back over the past 40 years in technology, we have seen this movie before,” he says. “We are starting to see [mobile] becoming a sizable foothold for malicious individuals with the huge upswing in mobile device usage in the past two years.”
Randy Abrams, research director, NSS Labs
Mobile malware has indeed become a grave concern for security pros. Last year, we saw multiple new attacks on both Android and iOS devices, namely WireLurker which attacked (supposedly more secure) non-jailbroken iOS devices. Mobile devices are ripe for attack for many reasons: They often hold user credentials for applications and websites. They're used for out-of-band authentication. They are almost constantly connected to the internet. And they have audio and video recording capabilities. For high-profile targets, these devices are a treasure-trove of information. And mobile platforms typically do not receive the same level of anti-virus or intrusion prevention monitoring as do desktop systems. An infected phone could go unnoticed for months – while monitoring the user and stealing their data.
As John “Rick” Walsh, mobile lead for cybersecurity for the U.S. Army, points out, “Mobile malware is easy to develop and the number of untrained developers are making it easy to exploit.”
Indeed, according to a recent research report from Alcatel and Lucent's Kindsight Security Labs, 15 million mobile devices are infected with malware (about six out of 10 of those devices run Android). The research found that more and more of these malicious applications are being used to spy on device owners, stealing their personal or business information and pirating their data minutes. Mobile infections increased by 17 percent in the first half of last year, raising the overall infection rate to 0.65 percent by late 2014. Between mid-December 2014 and mid-January 2015, network security firm Ixia uncovered more than 400 malware incidents among its own clients, most of those on Android devices, according to Dennis Cox, the firm's chief product officer. In the same one-month period, the company found only 27 new malware exploits on clients' traditional PCs, he says. “And I don't know a person who doesn't use their phone for work,” Cox adds.
Meanwhile, market research firm Lookout pointed out that while mobile malware is on the rise, we have yet to see how bad it could really get, especially with the introduction of chargeware and ransomware – aimed at bilking money from mobile users and potentially their employers. Mobile malware was spotted 75 percent more last year than in 2013, according to Lookout's research, with a global user base of 60 million mobile subscribers. Mobile-targeted ransomware, such as ScarePakage, ScareMeNot, ColdBrother and Koler, became much more popular in the U.S. last year and Lookout predicts increasingly sophisticated new threats to come this year.
Aside from the rising uptick of mobile devices for business and personal use, why do malware authors have mobile devices in their crosshairs?
“Mobile malware has been becoming more prevalent since 2013 and possibly even earlier,” says Neal Ziring, technical director for the information assurance directorate at the National Security Agency (NSA). The main reason it's becoming so prevalent is that the value is moving to mobile devices, he says. As more people are starting to use their smartphones and tablets for work – in many cases, using their own personal devices – hackers and information thieves are drawn to the enterprise email and access to other valuable information on or retrievable through these devices.
While Ziring says that malware on legacy desktop platforms has not gone away, mobile malware is particularly concerning because of the rapid growth of the threats and because the detection and counter-measures to combat malware on mobile are not as well-established as they are on more traditional platforms. “That's an area for the industry that is improving rapidly,” Ziring says, “but it still has a ways to go.”
Hot potato syndrome
When it comes to the mobile platform, there's also the hot potato syndrome. In other words, whose responsibility is it to manage a potential malware intrusion? Is it the network carrier, the handset maker, the operating system developer, the security vendor, the company allowing their employees to use BYOD? According to Adam Tyler, chief innovation officer for CSID, an Austin, Texas-based provider of global identity protection and fraud detection technologies, this is just one major reason why mobile malware is “going to become so prevalent and [we will have] a huge install base that will never be patched.”
“Android phones are being sold with operating systems that are analogous to Windows 98,” says Randy Abrams, research director for NSS Labs, an Austin, Texas-based information security research and advisory company. Brand new devices are sold with old, less secure versions of the operating system and neither manufacturers, nor carriers have any interest in providing more secure versions of the OS, he explains. “The number of new mobile devices with no upgrade path to current versions of the Android OS, or future version with better security features, is growing every day,” he says. “This is a critical problem that manufacturers and carriers have no interest in addressing. Consumers tend to trust applications on smartphones without question, which makes social engineering exceptionally easy.”
Even in an increasingly cybersecurity-conscious environment, it does not take much skill to trick a user into installing malware on their mobile device, says Abrams. Anti-malware vendors are at a significant disadvantage against malware as by design they are not allowed to run at root level and, unlike the malware writers, legitimate security vendors have to follow rules that preclude maximum effectiveness, he says. While some devices are shipped with one anti-malware product installed, this does not mean the installed product will be the correct choice for all users – and replacement at the root level is impossible without rooting the device.
Additionally, Tyler (left) points out, in emerging markets, where older mobile devices are more commonplace, exploits that may have been discovered or even stamped out in the U.S. and Europe are easily propagating and may remain in place for years to come. Mobile users in these areas have limited ways to protect themselves, Tyler says, adding that the information users once accessed by laptop is just a fraction of what is now used on smartphones today.
The threat is also on the rise as “people are starting to move money with mobile devices,” says Dave Frymier, vice president and chief information security officer at Unisys, a global information technology company based in Blue Bell, Penn. Apple Pay is the latest boost to this trend in the United States, he says, but mobile malware has been a growing problem in Europe for years now. “Mobile device hygiene issues – such as weak passwords, downloading apps from questionable places, clicking on the wrong things – are the key factors predicating these attacks,” Frymier explains. “This is pretty much the same list of security hygiene issues that applies to a regular PC.”
While for many CISOs, vendors and analysts, mobile malware is still relatively rare in comparison to other threats, “It's another avenue of attack, another source of cost for IT departments,” says Frymier. And he expects the risk to only rise. “As mobile devices spread and are used for financial transactions, the amount of exploits will increase.”
Indeed, the ease of monetizing attacks makes the return on investment very attractive for would-be mobile attackers, according to Abrams. Attacking smartphones enables attackers to circumvent some methods of two-factor authentication even when users are using their computers, he points out, and development tools for Android are free and the cost to make apps available for download is insignificant. “The ease of getting malware installed on Android phones, which is what almost all mobile malware is written for, sets a low bar for a successful attack,” Abrams says. “A lack of accountability for developers results in a low likelihood of criminal apprehension.”
Malware writing is a very lucrative endeavor, echoes Lysa Myers, security researcher at ESET, a global IT security company with U.S. headquarters in San Diego. “Criminals are able to get into phones or tablets by way of social engineering or vulnerabilities in software, especially as few people understand the importance of securing their mobile devices,” she says.
In fact, most industry observers agree that the overall situation is likely to get worse before it gets better, especially since mobile devices – even those used to access sensitive information – are not always routinely updated, according to Ziring.
Further, Somaini says that organizations may need to take a step back and look for new ways of dealing with this threat. While the controls around the device and the content have not changed from traditional platforms, there are definitely greater limitations on the operating system level. And conventional anti-virus approaches are not cutting the mustard in mobile.
“What we need is more vendors focused on the mobile space,” Somaini says. In particular, new solutions need to take into account that, increasingly, employees are using their mobile devices to access corporate assets that are not necessarily resident on the device, but in the cloud, through services like Salesforce.com and Box.
Predicting attacks is a new area organizations are just starting to investigate, according to Walsh, who, like other cybersecurity experts, is seeking to reduce if not eliminate malware's ability to attack information. In the case of government employees' devices, software is tested, verified and secured before it can be used. And his organization within the U.S. Army is working to establish mobile application development standards for developing and using secure applications.
“The most difficult way to predict malware is to think like the malware developers and build proactive controls and tools that allow the mobile device to have protection before it is attacked,” Walsh says. “This is, however, a change to current practice, which traditionally is a reactive posture where we wait to see what the malware does then we work to stop it.”
Deepak Rout, chief security officer for The Co-operators Group, a Canadian insurance company, admits that it is not easy to create data security architecture in the mobile world. The key, he says, lies in understanding the value of data being considered for mobility. He recommends classifying all data into multiple security classes and understanding which classes are involved in business processes enabled by mobile devices. As well, it is imperative to understand the consequences should data be exposed, and systematically develop layered controls for managing those identified risks. “So, it's essentially the age-old risk management, but at a data level,” Rout says. “And, of course, this is hard on three levels: IT risk management is little understood, hard to implement in practice and rarely goes to the level of data.”
Malware threat: Mitigation
In the face of heightened concern and a rising threat, how can organizations start to tame the potential for mobile malware attacks?
For Justin Somaini, chief trust officer, Box, the plan starts first with education. In order to support employees in protecting themselves and their access to mobile assets (both personal and corporate), security practitioners need a “near-world plan on driving education and culture change,” he says. Information technology and support desks should regularly communicate to employees information about security updates or emerging or recurring malware threats that target mobile. Also, he says, organizations need to consider fundamental security precautions, like making sure that the company maintains a network for guest mobile users or contractors that is completely separate from the corporate network. In addition, companies need to review both their mobile device management solution providers and mobile-oriented vendors that handle application-level products and services to determine whether they are well-positioned to combat potential malware threats.
Several vendors have embraced the mobile device fundamentals profile put forth by the NSA, according to Neal Ziring, technical director, information assurance directorate, National Security Agency. But, vendors and user organizations need to focus on the fact that mobile device security must extend beyond the end-point device. “The overall architecture matters too,” says Ziring. “Organizations should ask, ‘What is the potential exposure to my enterprise? How is my back end? Do I have adequate monitoring and am I protecting my most important data?' The awareness of the attack surface matters a lot more.”
While it is critical to investigate the controls on the device and application level, Deepak Rout, chief security officer for The Co-operators Group, says that fellow CISOs must first consider the risks. Figuring out an organization's mobile risk profile is “a huge gap in a world empowered by mobility,” Rout says. He maintains that foundational controls are no-brainers: Organizations should deploy authentication systems to access applications, services and data; vulnerability and patch management; monitoring and incident management; and device-level security, including password, encryption and wiping on reported losses, he says.
In the military, John R. “Rick” Walsh, mobile lead for cybersecurity, U.S. Army, says IT security efforts currently focus on both the users and the ultimate targets of malware players. “A piece of malware is written ultimately for one of two purposes: either to steal information or to deny the user from accessing information,” Walsh says. “So if we focus on the goal of the attack we can better defend against the attack.”
Organizations should install a management product and lock down any mobile devices they actually own, according to Dave Frymier, VP and CISO, Unisys. And, if an employee brings their own device and installs applications supplied by their organization, he says CISOs should consider “app wrapping” technology, which allows corporate apps to live in their own software sandbox separated from a user's personal environment on the device.
Some cybersecurity experts, such as Lysa Myers (left), a security researcher at ESET, believe that companies and agencies that allow users to access their network with mobile devices must use more than passwords to protect access. She recommends using multi-factor authentication, encrypting sensitive data in storage and in transit (especially if users are able to access network resources from public wireless network), and limiting users' access to network resources to the minimal level that allows them to do their job.
“Mobile malware will become a much more significant problem unless we drive solutions here,” says Somaini. – KEH