Peeling The Onion: Mobile Malware and BYOD/COPE

Mobile Malware: A New Look at Old Threats

Mobile smart devices have fundamentally changed how we work, live and play, yet the deceits used by cyber criminals to install malware or applications with unwanted behaviour are the same ones that have been used for years against PC workstations. For criminals it seems to hold true that if it isn't broken, don’t fix it.

Despite the exponential rise in the number of mobile smart devices in use, mobile threats are still defined by the types of socially engineered attacks that trick the consumer into accepting what the cyber criminal is selling. According to a report by Blue Coat Systems we have yet to see the types of malware that fundamentally break the security model of the phone (leaving aside the NSA). The most prolific mobile threats are spam, poisoned links on social networking sites and rogue apps. The social engineering nature of these threats means that user behaviour is key in both identifying where attacks might occur (social networking sites, for example) and understanding how attacks may evolve.

Likewise, the various mobile malware Trojans which are capable of data theft are able to operate over either the mobile phone network or any connected Wi-Fi network. When these Trojan applications transmit their information over mobile phone networks, they present a large security gap that is difficult to overcome in a corporate environment. The rise of the trend in BYOD widened the security gap considerably.

User Behaviour is Driving Mobile Threats

Understanding how users behave on their mobile device has become critical for understanding where they might be at risk.

When we look at consumer behaviour on PCs versus behaviour on mobile devices, a few key distinctions quickly become clear. First and foremost, social networking continues to decrease as an activity that consumer’s engage in on their desktop or laptop computers. Instead, that activity has shifted to mobile devices.

Application Overshare: Potentially Unwanted Applications and the Threat to Privacy

The malware threats targeting mobile devices are still pretty basic and largely confined to potentially unwanted applications and premium SMS scams. Potentially unwanted applications, or PUAs, are simply apps, usually disguised as something interesting like the hottest mobile game, that engage in tracking user behaviour or otherwise sharing personal information. Among the type of data that is tracked are User-Agent strings, which identify the mobile operating system, its version, the type of installed browser and version, and (depending on the app) additional information about the mobile app the user is running. In addition, HTTP traffic generated by the mobile device’s browser or by mobile advertising services may reveal the mobile device user’s habits, interests, or searches.

Many apps also include embedded analytic tools used to identify bugs or simply report on app usage. These tools can disclose the mobile device’s telephone number, the SIM card’s unique IMEI code, and may reveal the relationships between the device’s owner and frequent contacts in the address book.

Analytic tools embedded in apps are also capable, depending on how the developer has configured them, of revealing virtually all aspects of the user’s behaviour within the app, from key stroke, to “shared” high scores with friends over social media or on on-line leader-boards.

The majority of this activity is not transparent to the user and potentially exposes their data to interception. The lack of clear requirements for developers to explicit identify what data their apps access, log, store and share, makes it difficult for users to make risk-based decisions about how they use their device. Android remains a prime target for malicious attacks. 98.05% of all malware detected in 2013 targeted this platform, confirming both the popularity of this mobile OS and the vulnerability of its architecture.

Malware by OS: Data according to Kaspersky labs

BYOD and COPE

It is clear from the Blue Coat Systems Malware report that Corporations have a duty to address these security gaps. It is also clear that to make a BYOD system compliant with the basics of data security a user’s device should only have installed certified and tested apps and the corporation should also have control of the device OS version as well as control over what websites are visited. A system of wiping a lost device is also required. It is to be expected that if these steps are taken then the attraction of BYOD becomes much less.

There has been talk of COPE (corporate owned personally enabled) as a better alternative to BYOD. In cope systems the corporation buys the device and “loans” it to the employee who uses it for business as well as social activity. In theory this is fine but the problem of security is still not addressed unless the devices are locked down so tightly that they become ineffective as a social device.

The other issue of course is the problem of Built In Obsolescence in consumer goods. Even if the BYOD or COPE devices are still functioning effectively in the corporate world they may be seen as anachronistic after they are just a year old. There are thousands of corporations still issuing 4 year old BlackBerry’s as company devices because they are still serviceable and do exactly what they were designed to do. In some western corporations these devices are considered outdated and a source of jocularity even though they are far more secure than the latest consumer devices.

It seems clear that the commoditisation of smart devices has opened a vast new horizon for criminal activity and the risk this means for corporate data security needs to be properly risk assessed and appropriately addressed. If this means a retreat from BYOD/COPE back to the mundane corporate locked down smart device then that is the price that corporate users must pay for security.

The hard facts of mobile security

Mobile phone users are at 3 times more likely to become victims of phishing attacks than desktop/laptop users.

15% of users store sensitive financial data on a smartphone

40% of smartphone users enter passwords for websites or financial apps unto their smartphone once a day

35% of US adults have had a mobile device lost or stolen

66% of users do not have any mobile security applications to help them protect their data if someone has access to their device.

69% of users do not back up their device

64% of users do not use a device password

73% of users say they are aware of the security risks of public wifi but will connect up anyway

In 2012 42% of smart phones were used for banking increasing to 48% in 2012

1 in 5 times a user is directed to mobile malware it is through web advertisements