I wrote last May about the danger posed by " the rise of Zombie Apps on the mobile landscape." This involves programs removed from an app store (aka "dead apps") which may still remain on mobile devices and could constitute a threat if vulnerabilities are found and exploited. In my article I referenced Appthority's Enterprise Mobile Threat report for Q1 of 2015 which indicated that "close to 80 percent of mobile apps exhibit hidden behaviors that put sensitive corporate data at risk."
Appthority has released a new mobile threat report for Q2 of 2015 and the findings aren't surprising based on recent trends. The report states that "malware and vulnerabilities impacting mobile devices increased over the last quarter" and "the risk from dead apps continues to be a serious threat to the enterprise."
It's neither a secret nor a surprise that malicious hackers are behind many of these threats. But there are larger forces at stake, as reported by Network World last month: "There is clear evidence that governments around the world are actively targeting both iOS and Android devices." Both Network World and Appthority point out the ominous development that iOS systems can be targeted whether or not they have been jailbroken (previously the threats seemed to loom larger for jailbroken devices which were deemed "off the reservation" although to be fair not all vulnerabilities apply exclusively to jailbroken devices).
Where a mobile device is used can often determine the risk level associated with it. Wireless Week reported last month that "Times Square in New York City is the riskiest place for tourists using a mobile device," and Notre Dame Cathedral/Disneyland in Paris, Golden Gate Park in San Francisco, Ocean Park in Hong Kong and the Las Vegas Strip in Nevada ranked the next five most vulnerable places in the mobility realm. It's not just about having your phone stolen. This is framed in the context of places where mobile phone users are at the biggest risk of hacking attempts or malware distribution.
Why are these places such rich environments for mobile targets? They're highly traveled areas frequented by tourists who may not be aware of secure processes, who access free wi-fi services and may not have mobile security or management apps in place. On a personal note, it comes as no shock to me that Notre Dame in Paris ranked #2. Paris is a breeding ground of scammers who employ all manner of ruses and dupes to try to extract money from unsuspecting visitors (just Google "the lost ring scam" and you'll read about what I experienced no less than two dozen times), and it's only natural their methods would evolve to include mobile devices.
There's more to the threat of location than just where your mobile device is used. When you think about end-to-end connectivity on your mobile device, you might not factor in the question of exactly where your data goes. It goes through cell towers to websites, storage providers, messaging systems and the like, right? Well, yes, but it also travels to specific geographic locations, which may represent a concern. According to Appthority's latest mobile threat report, here are the top areas in the world where data is sent from the U.S. (based on iOS and Android devices):
The results are both different but a little similar. Ireland sees the lion's share of the iOS traffic - over six times more data than Android devices send. China sees about twice as much iOS data as Android data, Germany is balanced between the two operating systems, and France/the UK are slightly more iOS-centric than Android, to the tune of about 1.5-1.7%
I asked Kevin Watkins, the co-founded and mobile threat lead of Appthority, about the discrepancies between the destination points of iOS data versus Android data. He told me: "This is a good question and something we are looking into. A majority of the traffic comes from analytics and adware libraries, and some are more common on one mobile platform vs the other. That is the case with the higher traffic to Ireland from iOS apps - a major chunk of that network traffic comes from Crashlytics which has a significantly larger footprint for iOS apps than Android. They also happen to be using Amazon servers in Ireland, likely for cost reasons."
It doesn't take much imagination to guess that mobile data in a potentially undesirable geographic location - one with lax regulations and oversight or which is undergoing upheaval - can be a significant concern. While few of the locations listed above represent bona fide hotbeds of chaos, there may be certain concerns about these locations based upon the background, orientation and activities of the organizations involved. Let's take a look at the next infographic:
This picture represents the "hot spots" around the world where you DON'T necessarily want your data going.
It's interesting that Canada, our friendly neighbor to the north, appears on the list and Appthority is continuing to research the causes behind that factor.
Specific mobile vulnerabilities are another factor. The report breaks them down further:
- LFI stands for Local File Inclusion, a method of exploiting a file to achieve desired malicious results.
- PrivilegedEscalation sounds like what it means, gaining access through elevated rights.
- DOS stands for "denial of service," an attack in which legitimate services are disrupted by bogus traffic.
- Overflow signifies a buffer overflow condition whereby malicious code can be executed.
- XSS represents Cross Side Scripting whereby exploits are delivered via malicious scripts.
- CSRF refers to Cross-Site Request Forgery whereby a web browser is manipulated to take advantage of current authentications.
- InfoDisclosure sounds like what it means; information leakage.
- CodeExecution sounds like what it means; running code that may be unwanted or undesirable.
There are a number of different types of vulnerabilities, but they all boil down to the same thing: providing the enemy undue advantage. Here is another angle as to how those advantages are utilized:
- Insecure Credential is self-explanatory.
- The Samsung Keyboard Vulnerability refers to a manner in which an attacker can execute code remotely via an elevated user privileges.
- Xara unauthorized cross-app resources access refers to privilege escalation, essentially.
- Logjam and AFNetworking are known encryption exploits.
Getting back to the concept of dead apps, here's how they apply to both iOS and Android environments:
These are roughly similar, with iOS dead apps more common than their Android counterparts by about 5 1/2 per cent.
What can users do to defend themselves?
Physical security is a no-brainer; tips include keeping your mobile device locked up when not in use and in a secure location while on your person, using a complex screen lock, utilizing encryption (especially on micro-SD cards if applicable) to protect confidential data and taking advantage of Apple's " Find my iPhone, iPad and Mac " or Google's " Android Device Manager" location services if your device is lost.
However, there are also security measures and practices you should implement on the device itself to protect against malware and other OS/application threats:
- Avoid free wi-fi, especially in sketchy areas.
- Avoid jailbreaking where possible (again, jailbreaking isn't required for a mobile device to be impacted by malware, but it can certainly increase such risks).
- Install the latest OS/patches for your device.
- Do not store credential or authentication tokens on mobile devices if possible.
- Limit your apps to only what you need. I myself keep my phone stripped down to the bare minimum.
- Pay attention to required app permissions and don't allow inappropriate access.
- Don't install apps from unknown sources, but don't assume every single app on the Google Play or Apple iTunes store is reliable. SC Magazine found last month that "in Google Play... 30,552 of 401,549 apps were malicious." Apple is much more restrictive in vetting the apps that are approved for release via iTunes (and their OS is often more resistant to malware as a result of their controls), but this comes at a cost of the flexibility Android users often prefer.
- If you are responsible for your messaging platform apply inherent security controls such as Microsoft Exchange's ActiveSync Mailbox Policies which can configure options for passwords, attachments, applications and device functions.
- Utilize a mobility device management platform. Appthority offers options for risk analysis, risk control and management and on-device protection and alerts. FireEye is a vendor with a similar set of solutions.
- Install local anti-malware software on your device(s). Bitdefender for Android (free and premium versions available), 360 Security for Android and Avast! Mobile Security for Android can help protect Android devices. Trend Micro Mobile Security and Webroot's SecureWeb Browser are geared towards securing iOS devices.
- If you manage mobile devices via a platform or application suite, consider implementing a whitelist of known good apps at your company and blocking others.
- Keep up to date on the latest security news to stay informed. For instance, Appthority released a bulletin last month discussing the Quicksand iOS vulnerability which can reveal credential information and potentially allow attackers to gain access to enterprise app services.
- Mobile users aren't standing still - nor are the threats which endanger them. Hopefully this data will help shed some insight on what you need to watch out for to protect your device - or if you work in an IT administration role, how to protect your users.
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.