When Malware Goes Mobile

Causes, consequences, and cures

We used to think of malicious software—or malware as it’s more commonly known—as a threat to laptops and desktop computers. But as we move more and more into a mobile environment, cybercriminals are targeting smartphones and mobile devices to a far greater extent.

Apple and Google have taken preventative measures to prevent malware in iOS and Android devices, but nevertheless, malware is still having an impact on these devices.

Let’s take a look at what you can do to better protect your mobile devices to keep your data safe.

The smartphone as emerging threat vector

Mobile devices are rapidly overtaking home devices in the number of users. Research estimates more than six billion smartphone users by 2020. These devices are replacing personal computers at home and in the workplace for everything from web surfing to ecommerce transactions to online banking. Securing these devices should be a top priority both in business and personal use.

The threat vector has increased exponentially as mobile devices are used more and more to make payments. Digital wallets and other technology allowing businesses to accept mobile payments have acted as a magnet for cybercriminals.

The business of cybercrime

Cybercrime today is very much about the money. What was once a group of hackers pinging websites in search of vulnerabilities to exploit has become an organized international enterprise.

This isn’t a grimy world of solitary hackers engaging in political hacktivism or denial-of-service attacks. Roger Grimes wrote back in 2012 in a piece for InfoWorld that cybercrime syndicates have full-time employees, HR departments, and project management teams—just like you.

Central to these organizations is creating and implementing malware that can bypass security measures, attack specific customers, and achieve specific outcomes, like making money. And these “malware mercenaries” are targeting mobile devices more than ever.

Let’s take a look at the two ways these cybercriminals are making money from unsuspecting mobile device users: banking malware and premium-rate SMS fraud.

Banking malware

Banking malware continues to be a growing challenge for IT security. In the first half of 2016, we saw the GozNym malware take $4 million in just days from 24 U.S. and Canadian banks by targeting customer accounts.

GozNym actually combined code from two different, existing malwares, Mymaim and Gozi, both of which have been in existence for years. This new “hybrid” malware had been merged to double the threat.

Banking malware is big business. Fraudsters have built a highly specialized industry around capturing authentication information used to access online financial institutions. Malicious mobile software attack users that visit a website set up by malware writers, their sponsors, or their partners.

We’ve seen phishing schemes, Trojans, and malware that monitors text messages, hackers are finding new and improved ways to hound financial institutions for profit.

But this isn’t the only way hackers are finding ways to exploit users to make money.

Premium-rate SMS fraud

Premium-rate SMS fraud isn’t new, but it remains pervasive. Rather than ask you for your credit card or attempt to withdraw money directly from your bank account, users are tricked into responding to a text message, enabling a module which will start sending SMS messages to premium rate numbers at the user’s expense. Frequently these sites appear as gambling, music, or other seemingly benign services.

For more information on premium-rate SMS fraud, download the whitepaper Exposing the Money Behind the Malware.

Why iOS is safer than Android (for now)

We’ve long expected Apple’s iOS to become a bigger target for hackers. Android certainly remains the bigger target, both in terms of numbers of users and Android’s more open and adaptable platform continue to make it more vulnerable to cyberattacks.

Apple’s walled garden App Store—where applications are fully vetted before being made available to customers—has prevented widespread malware infection of iOS users. As a centralized point of distribution, the App Store provides users with confidence that the apps they download have been tested and validated by Apple.

Evidence of malicious malware showing up in the App Store is anecdotal at best, as Apple does not typically volunteer such information. However, it’s safe to assume that since Apple does not make APIs available to developers, the iOS operating system has fewer vulnerabilities.

However, iOS isn’t 100% invulnerable. Recent examples, such as the iOS-based malware XCodeGhost have proven that iOS is vulnerable to malicious attacks as well.

Like Apple, Google provides a centralized market for mobile applications called Google Play. However, that is offset by the Android’s ability to install apps from third-party sources. Some are well-known and reputable such as Amazon. Others are not, and originate from malware hotspots in Russia and China. The criminal developers deconstruct and decompile popular apps like Angry Birds, and publish malicious versions and make them available for free.

The number of threats―especially on the Android platform―continues to increase. Since 2010, SophosLabs has observed more than 1.5 million samples of Android malware.

You can find an infographic on the history of mobile threats on the Sophos Blog.

10 tips to prevent mobile malware

Now that we’ve identified the causes and challenges associated with mobile malware, how do you prevent it? By taking back control of your mobile devices and their applications.

Here are 10 tips for securing your mobile users and preventing mobile malware infections.

1. Inform users about mobile risks
Users often don’t realize a mobile device is a computer and should be protected like one. Always consider the source of an app or game. If an app asks for more than what it needs to do its job, don’t install it.

2. Consider the security of over-the-air networks used to access company data
Over-the-air (i.e., Wi-Fi) networks are insecure, generally. For example, if a user is accessing corporate data using a free Wi-Fi connection at an airport, the data may be exposed to malicious users sniffing the wireless traffic on the same access point. Companies must develop acceptable use policies, provide VPN technology, and require that users connect through these secure tunnels.

3. Establish and enforce bring-your-own-device (BYOD) policies
BYOD should be a win-win for users and companies, but it can result in additional risk—and it’s becoming more and more common in business. Ask yourself: How do I control a user-owned and managed device that requires access to my corporate network? Educated employees are often the best defense against the theft of sensitive data. If they use their own mobile devices they must follow policies that keep the business compliant with regulatory requirements.

4. Prevent jailbreaking
Jailbreaking is the process of removing the security limitations imposed by the operating system vendor. To “jailbreak” or to “root” means to gain full access to the operating system and features. This also means breaking the security model and allowing all apps, including malicious ones, to access the data owned by other applications. In brief, you never want to have root-enabled devices in your company.

5. Keep device operating systems up to date
This sounds easier than it actually is. In the Android ecosystem, updates can be blocked a number of ways: by Google (which updates the operating system); by the handset manufacturer (which may decide to release updates only for the latest models); or by the mobile provider (which may not increase bandwidth on their network to support updates). Without the ability to update your Android OS, your device is vulnerable to potential exploits. Research mobile providers and handset manufacturers to know which ones apply updates and which don’t.

6. Encrypt your devices
The risk of losing a device is still higher than the risk of malware infection. Protecting your devices by fully encrypting the device makes it incredibly difficult for someone to break in and steal the data. Setting a strong password for the device, as well as for the SIM card, is a must.

7. Mobile security policies should fit into overall security framework
IT needs to strike a balance between user freedom and the manageability of the IT environment. If a device does not comply with security policies, it should not be allowed to connect to the corporate network and access corporate data. IT departments need to communicate which devices are allowed. And you should enforce your security policy by using mobile device management tools.

8. Install apps from trusted sources; consider building an enterprise app store
You should only permit the installation of apps from trusted sources, such as Google Play and Apple App Store. However, companies should also consider building enterprise application stores to distribute corporate custom apps and sanctioned consumer apps. Your chosen security vendor can help set up an app store and advise which applications are safe.

9. Provide cloud-sharing alternatives
Mobile users want to store data they can access from any device, and they may use services without the approval of IT. Businesses should consider building a secure cloud-based storage service to accommodate users in a secure way.

10. Encourage users to install anti-malware on their devices
Although malware exists for iOS and BlackBerry, those operating system interfaces don’t support anti-malware. However, the risk of infection is highest for Android, where security software is already available. Make sure all your Android devices are protected by anti-malware software.



Data protection for SMEs: From cost-center to business enabler

Even though they are now more cognizant of their vulnerability, many small and medium enterprises (SMEs) still find themselves hesitant to invest, worrying about the cost in time and resources.

By Sumit Bansal
Senior Director, ASEAN and Korea, Sophos

Data privacy and protection concerns have recently been making headlines, reminding us to be even more vigilant than ever in protecting data, whether it is of our organizations, our customers, or even our own.

However, even though they are now more cognizant of their vulnerability, many small and medium enterprises (SMEs) still find themselves hesitant to invest, worrying about the cost in time and resources.

“When it comes to IT security, SMEs are in a tight spot. Potential attacks on SMEs are on the rise, as they do not have the wherewithal to pro-actively combat the unknown,” said Sumit Bansal, senior director for ASEAN and Korea at Sophos. “Whenever a data breach or a cyber-attack happens, there is often a lot of legwork being put into examining the root cause of data breaches. For SMEs, they simply do not have the time, budget, or expertise to threat hunt, nor do they always understand why they need to do it. Even if SMEs see the value, their budgets do not come close to having a dedicated in-house team.”

The good news is that SMEs now have more options that will bolster their ability to defend themselves from the evolving threat landscape. They no longer have to think of data protection and cybersecurity as massive cost centers they begrudgingly invest in for purposes of legal compliance, seeing them instead as business enablers that ensure smooth and optimal operations, facilitate organizational savings, and guard profit-centers. They can start with a set of easy to implement protocols and IT solutions – what is important is getting every member of their organization to embrace a focus on cybersecurity as an integral part of their day-to-day work life. Sophos, a global leader in network and endpoint security, has listed some of these practices.

1. Upgrade your endpoint protection

With more SMEs using laptops and mobile devices that connect everywhere, and most attacks happening using “legitimate” http and email communications that can often pass happily through gateway protections, better defenses on computers are needed now more than ever. Traditional anti-virus based endpoint protection products just aren’t keeping up, with hackers and ransomware in particular very visibly getting past these products. They do this by exploiting legitimate software instead of just using “malware”, by using multiple techniques and by either avoiding executable code at all, or where it is being used changing it frequently and automatically so that it can get past reactive signature-style approaches.

There are many new “next generation” endpoint protection products now available that can provide more comprehensive protection against exploits and ransomware, as well as helping detect and remediate compromises when they do happen.

2. Improve login hygiene and practices

It’s important for SMEs to come up with a cybersecurity basics checklist that they get every member of their organization to observe. They also need to ensure that guests requesting remote access to their networks also abide by these procedures. It is not enough to trust the person; one also needs to trust their computer, because a PC with malware on it that connects to an office network is essentially letting cybercriminals in with it.

It is also worth considering requiring employees to have two-factor authentications (2FA) on devices used for work. While it costs a little more and is slightly less convenient, it helps to prevent egregious attacks where a criminal steals (or guesses, or buys) a user’s passwords today, and then uses it at their leisure to raid whole networks.

3. Use encryption

Just as you won’t leave your home or car without locking your doors on your way out, you should also think of encrypting important or sensitive files as a matter of practice. Encryption gives you a valuable extra layer of protection against hackers, eavesdroppers, intellectual property thieves, and other cybercriminals. Regardless of geography, size or industry sector, organizations can find themselves targeted by cybercriminals. These practices will help organizations ensure they won’t be easy targets and are able to defend themselves from cybersecurity nightmares that result in expensive problems and massive reputational damage that they may never recover from.