Louis Smith (left) and Mark Bilanski (right) of the New York State Cyber Command Center demonstrate a mobile attack at RiskSec NY 2018.
Louis Smith (left) and Mark Bilanski (right) of the New York State Cyber Command Center demonstrate a mobile attack at RiskSec NY 2018.

Mobile users who download untrustworthy apps on their phone often agree to dangerous permissions requests that give attackers essentially unfettered access to their devices' data and functions -- as demonstrated yesterday by two New York State Cyber Command employees at SC Media's RiskSec NY 2018 conference.

Mark Bilanski, deputy director of the NYS Cyber Command Center's Cyber Incident Response Team, and Louis Smith, senior security analyst, co-presented at the session, during which time they "infected" Smith's demo phone with an Android mobile app created by Cyber Command to represent programs typically found in shady third-party stores.

"What we decided to do was write our own app with a few of those permissions and see how far we could take it," said Bilanski, who played the role of the adversary. As soon as Smith opened up the downloaded app, Bilanski received a visual indicator containing specific information about Smith's device. Just like that, Bilanski had control of Smith's phone.

Displaying what victim sees on their phone on one screen and the attackers' point of view on a second screen, the presentation showed how Bilanski could remotely use Smith's phone to take surreptitious photos and videos, access and export photos and files, alter data in send texts and make calls, determine the user's geolocation, and more -- all because Smith accepted the app's permissions.

Moreover, Bilanski showed how he could even compromise a device's data integrity by secretly modifying accessed documents or contact lists. "What could be possibly worse than losing data?... Data you can't trust," stated Bilanski.

Smith said mobile devices represent low-hanging fruit for attackers "because these little computers are everywhere and they're making applications to accommodate everyone's needs. So this becomes a very interesting target for malicious actors."

Meanwhile, a panel of experts shared their perspectives on the demonstration and recommended certain policies companies can enact to ensure their employees use mobile devices responsibly on the job.

Christine Runneager, senior director of internet trust at the Internet Society, said that the ability to take over a phone user's SMS messaging is especially concerning because SMS is often used for multi-factor authentication. "That's something really serious to worry about, 'cause now... criminals could have harvested your password somewhere else."

Tim Callahan, SVP and global CISO at Aflac, said that education a big key to curbing mobile threats, especially in the financial sector, where attackers might send employees a fraudulent message impersonating the CFO, instructing them to transfer funds to a malicious wallet. "We've concentrated a lot on just training employees not to do anything that seems unnatural and to... recognize things that seem out of place and then not act on them.

Callahan said it takes "courage" to withhold taking action until one can verify a mobile message is genuine, because employees might they feel like they're questioning an executive order or wasting time.

Fellow panelist Tony Sager, senior VP and chief evangelist at the Center for Internet Security (CIS), said that companies should have a policy in place for employees use an independent, secondary communications channel to confirm that certain potentially fake messages are genuine.

"You can't train people to stop everything, but you can help them understand these are the trigger things you should be aware of -- phrases you hear, inconsistencies -- and have a policy to go out of band," said Sager. "If it doesn't look right, find a different path back to validate. And you have to train your executives often to not be ticked off when people call to question, 'Was it really you who told me to transfer that money?'"

Callahan also said that his company restricts employees from using their own mobile devices, and has also a Mobile Device Management (MDM) solution on their corporate-issued devices to prevent workers from engaging in certain risky behaviors.