Quarterly Mobile Security Threat Analysis Now Out From Proofpoint

Proofpoint just released their quarterly threat summary, which included some insight on mobile security threats I thought might be of interest to your readers. Key takeaways include: 

  • Mobile exploit kits and zero-day attacks targeted iOS and Android. Most mobile devices today have 10-20 exploitable zero-days. Roughly 30% of those are serious and could allow attackers to run malicious code on infected devices. 
  • Pokémon GO-related malware spawned malicious counterfeits. Malware in the form of malicious side-loaded clone apps, dangerous add-ons, and other risky apps grew out of the game’s popularity. Users can download apps from anywhere, and even the major app stores offer only limited screening of apps and updates.

Mobile Vulnerabilities.png

Mobile app threats: Not playing games

Pokémon GO is one high-profile example of an app whose popularity has created an ecosystem of mobile threats. Games are a major target, as are apps related to major events. Some apps are overtly malicious, and others create business risks by requiring excessive permissions or handling data poorly. Whether downloaded by employees or their family members, malicious and other risky apps are following users into the workplace.

Key stat: Nearly 5% of mobile devices on corporate networks are running Pokémon GO.

Analysis: Released in July, Pokémon GO was an immediate international sensation. Because of its staggered global release, pent-up demand led users who could not access it through legitimate app stores to sideload the app through third parties and direct downloads. Within three days of Pokémon GO’s release in Australia and New Zealand, we identified a cloned version of the Android app in a malware repository. The counterfeit copy included DroidJack, a remote access Trojan capable of taking over the device, and modified app permissions indicated in Figure 7. Though not observed in the wild, this version of Pokémon GO showed just how easily attackers could modify a popular app and distribute a malicious version to users.

A recent survey showed that Pokémon GO is installed on nearly 5% of mobile devices accessing corporate networks. Like many popular games, Pokémon GO has spawned numerous game guides, cheats, and add-ons. Many of them are risky or malicious, potentially exposing networked resources to attackers. We have identified at least three malicious versions of Pokémon GO this quarter along with numerous malicious companion apps. Even among legitimate installations, 4% of devices accessing corporate networks were an early version of the game that granted excessive permissions.

The Olympic Games in Rio also provided further examples of ways in which threat actors co-opted popular phenomena for malicious purposes. We identified over 4,000 Android apps and over 500 iOS apps related to the Olympics that exhibited risky or malicious behaviors. 

Mobile threats continue with Pegasus and other zero-day tools

Most mobile devices have multiple serious, unpatched vulnerabilities that could expose them to a slew of malware and attack vectors. This includes both Android and iOS devices. As mobile devices become primary means of daily work and regular communication, these vulnerabilities can have serious consequences. That’s why organizations need dynamic, intelligent protection and management.

Key stat: The average mobile device has between 10 and 20 exploitable zero-day vulnerabilities.

Analysis: In August, we found that the so-called “Pegasus mobile device attack kit” was available in both the criminal underground and the research community. This kit can be used to attack any device that is running any iOS version between iOS 7 and iOS 9.3.5. Although the malware originally surfaced as a result of a high-profile attack on a political dissident in the United Arab Emirates, it can be used against any person or enterprise with a vulnerable device.

Like many other types of both mobile and desktop malware, Pegasus can be delivered through a URL with a convincing lure. Because it targets mobile devices, the link can be distributed via SMS, email, social media, malicious search results or even other apps. When installed, Pegasus exploits a vulnerability in many versions of iOS. It silently roots the phone and gains unencrypted access to a variety of apps and communication on the phone.

Apple’s rapid response with an update to iOS and the significant public attention the issue received helped mitigate the immediate risk. But Pegasus was only the best known of such malware: the average mobile device has 10 to 20 exploitable zero-day vulnerabilities that can be targeted by mobile malware. Roughly a third of these are serious flaws that enable attackers run malicious code. 



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: