Some apps can access your address book and your phone
According to the Forrester 2016 Mobile and App Marketing Trends report, people experience an average of 150-200 micro-moments a day — moments where they turn to their mobile device to access apps or make transactions. Forrester also estimated that around 226 billion apps were downloaded in 2015 alone, and Comscore’s 2015 Mobile App Report showed that apps take up around 87% of the time spent on a mobile device. Now take these statistics, along with fact that 140 billion apps were downloaded from just the Apple store as of September 2016, and add them to the fact that cybercriminals target many of them, and suddenly the picture isn’t that pretty.
The NowSecure Mobile Security Report found that 24.7% of mobile apps have at least one high risk security flaw, and that 35% of communications sent via mobile device are not encrypted. The average business app is also more likely to leak log-in credentials while games will include a vulnerability more often than the average app. The 2015 MacAfee Mobile Threat Report pointed out that large numbers of infected apps were making it past the screening processes and appearing in trusted app stores. In 2016, the report covered the fact that hundreds of apps have been pulled from both Google Play and the Apple App store due to security issues. Aggressive adware, malware infections and data capture software continue to plague the mobile landscape.
Gerhard Oosthuizen, chief information officer, Entersekt, says: “More often than not, mobile apps are not developed to the same security standards as websites. App development is often done quickly as companies rush to get the app to market. However, people still have a perception that mobile is safer and the average mobile user will connect to whatever network is available to access cheap data. Unfortunately, unprotected public networks can expose them to any number of attacks, especially man-in-the-middle attacks where criminals secretly intercept, and tamper with, digital communications.”
Alongside the man-in-the-middle attacks there are several threats to mobile users and their data. One of the most devastating of 2016 was the hostile enterprise-signed mobile app WireLurker which attacks Apple’s desktop and mobile platforms, allowing it to download apps onto the device without permission or the user’s knowledge. Found in more than 467 applications, WireLurker was downloaded nearly 400 000 times. It is also the first malware which has been known to infect iOS applications in the same way as a traditional virus. As eye-opening moments go, this one was a doozy.
So was Stagefright — the name given to a bunch of vulnerabilities discovered in the Android operating system (OS) and which allowed attackers to remotely execute a code on a mobile device through the transmission of a MMS message. Instead of the cybercriminal luring the user into clicking on a malicious link or downloading an infected app they need only know the phone number to launch their attack. Even more scary was that they could wipe out all traces of having ever been there. The user would never know that their device had been hacked or was being used for nefarious purposes.
The onus is on the user
“It is important that users know what types of files can contain code, scripts or other potentially dangerous things,” says Damien Michael, chief executive, Innovo Networks. “In mobile specifically, software systems are out of date, security patches for third parties are not always developed and released on time, and mobile devices don’t have firewalls to limit internet connections. A hacker can access an unsecured communications port and obtain sensitive information from the device in minutes.”
It is this vulnerability which played no small role in the impact of Stagefright and Stagefright 2, a set of vulnerabilities found in Android and which were activated by using mp3 and mp4 files. According to MacAfee, the number of devices running Android 1.5 to 5.1, which are susceptible to this attack, sits at nearly one billion. The security giant recommends that users turn off their MMS auto retrieval, update their devices regularly and never open messages from strangers, just as a starting point.
“The biggest risk is the person using the device,” says Rianette Leibowitz, founder of SaveTNet. “Most people are not cyber savvy and click on links before they investigate the source. Ransomware has become a big threat, and many people have been caught off guard. Users hardly ever read the terms and conditions which come with apps to see what level of access and types of permission they are giving to the app. For instance, some apps can access your address book or your camera on your phone; others can post on your behalf to social media.”
The time to trust blindly in the wondrous power of the mobile operating system has passed. Cyber criminals are taking advantage of the fact that people are not as informed about the various scams and loopholes as they should be. It’s understandable. As Leibowitz points out, nobody really reads the terms and conditions that come with an app — they run for pages and pages and are less interesting than watching paint dry. However, even if it means downloading half the apps today as yesterday, read the fine print.
It’s also a good idea to avoid using open Wi-Fi networks, especially if the mobile device doesn’t have security software installed. Never do sensitive transactions such as access online banking, share card details through online shopping or enter in personal information while using an open network. If someone is watching, they just hit the motherload.
“If you do choose to use a free Wi-Fi network, for instance at a conference, and you use a password to gain access, then consider the information they request from you,” says Leibowitz. “Are you comfortable with giving that provider your mobile number, name, company details and, indirectly, your IP address and MAC address?”
Considering how much damage a hacker can do with just a simple detail like a phone number, users must become far more careful with who they hand these out to, and why. Consumers should also enable user authentication, install anti-malware capability and a firewall, ensure they have the latest security updates and implement two-factor authentication. Regardless of platform — and these each have their own inherent risks — every mobile device should have some form of antivirus installed. Some of the most highly recommended include Bitdefender Mobile Security for Android, LastPass Authenticator for both Android and iOS, and ESET Mobile Device Management for iOS.
The risk factors: OS wars
There is always the debate around which mobile platform is the most, or least, secure. Many tout Android as the most vulnerable as apps on Google Play didn’t undergo a hefty approval process in the past and there was the risk that an app would be dripping with malware and vulnerabilities. However, Google has been manually reviewing apps since 2015 and putting far more stringent controls in place. Android may be a more open system which has more people playing in the development sandbox, — Android devices currently command 81% of the market share — but as Oosthuizen succinctly puts: “No mobile operating system is invulnerable. The latest software update release of an OS is the most secure — the ones with the biggest flaws are the older versions. It is as simple as that.”
Each operating system has its own set of pros and cons. For Apple, the system is proprietary, the apps are vetted before publication on the store and the fee to put an app on the store is quite high. This means that iOS is often perceived as this wonderfully secure walled garden where users can frolic with apps to their heart’s content. Unfortunately, this is now being used against the operating system as hackers find new ways to climb inside iOS, as evidenced by WireLurker, Trident and XCodeGhost.
“Apple might have an edge on Google with regard to the threat landscape,” says Eugene Engelhardt, cief executive, Traderoot. “The Android install base far outstrips the iOS install base and attackers will always go where they have the biggest chance of success.”
Android has had its fair share of issues with security, not least of which being Stagefright, and this is made more complex thanks to the openness of the platform and the varied number of organisations which use it. However, the same organisations are also taking control over their own security, as evidenced by Samsung’s KNOX, among others. Then let’s not forget BlackBerry, Ubuntu and Windows — these operating systems may only have a fraction of market share, but they are as vulnerable to attack as anyone else. The theory that the hackers won’t pay attention to so small a part of the market is fundamentally flawed.
“Apps that request access to data and convince users to grant it are prevalent on all the major platforms. And malicious websites are accessible to all devices, regardless of OS,” adds Iain Wadds, regional sales manager, Tarsus Technology Group. “While the technology itself has flaws, the vast majority of providers have solutions to basic security issues. However, the biggest flaws are not with the technology but with the way users use it and their lack of understanding of the risks.”
So how does someone find out if they’ve been hacked? The scary answer is that often they don’t. Perhaps social media will show posts which are not theirs, or the bank calls about anomalous payments. A spike in data usage or the operating system slowing down significantly can also indicate that there is a problem. If your browser is redirected to other sites or pop-ups appear, then pay attention. However, it is very likely that you won’t know you’ve been hacked until it is way too late.