The UK’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) released a joint paper on the cyber threats to UK businesses on March 14th. This paper can be seen as an authoritative voice with regards to the “state of the nation” and cyber threats to UK corporations.
While much of the media response to the paper focused on one part of the document which discussed threats from ransomware and connected devices, another section of the paper examined the emerging threat from malicious mobile applications. The paper assessed that at the time of writing, while there had been no reported cases of mobile malware being used in an attack to pivot into a corporate enterprise network, it is a growing threat and overall attacks involving mobile malware have increased in volume and sophistication. The increasing speed, power, and storage capabilities of mobile devices means they are used more frequently for activities previously conducted on other platforms, such as laptops or PCs. Mobile devices are considered to be highly lucrative and viable targets to threat actors.
Three prominent trends were identified in the cyber threat report:
- Malicious applications which distribute malware, often request elevated privileges and permissions in order to conduct further infections. The types of malware detected to date have included information stealers and ransomware. In January 2017 a ransomware variant called Charger was identified bundled together with an information stealer masquerading as a battery saving app available for download from the Google Play store. The app has since been removed from the store.
- Fake applications which mimic brands and trick users in to downloading the malicious version. These were involved in stealing personal or confidential information such as credentials. A trojan downloader was identified masquerading as an Adobe Flash Player app targeting all Android operating systems in February 2017, seeking to infect users with banking malware, seeking to steal customers’ login credentials.
- SMS phishing (aka SMishing), uses the same techniques as traditional phishing attacks to persuade the user into disclosing personal information, download a file or app, or visit a malicious site. Various bank and retail customers have been targeted in SMishing attacks, often involving an alert to customer warning of suspicious activity on their account and requesting confirmation of their credentials, or offering access to exclusive vouchers and discount codes. Successful attacks resulted in the compromise of customers’ personal and financial information.
In recognition of the growing nature of mobile threats, Digital Shadows has recently extended its SearchLight digital risk management service to focus on Mobile Application Monitoring. The wide range of threats detected includes:
- Suspect application behavior and code, such as self-signed certificates or the presence of malware;
- Versions of an application that have been modified by a third party;
- Copies of application on stores that are not actively managed;
- Impersonations or spoof applications that mimic brands and affiliate links that mislead or confuse users.
By identifying these threats, organizations can protect themselves from potential theft of intellectual property, mitigate against brand misuse and prevent subsequent reputational damage. Organizations without mobile applications or use of SMS communication are still considered to be at risk of threat actors developing malicious and illegitimate applications, or targeting their customers with SMishing attacks.
To mitigate this threat it’s important to improve education around mobile applications risks. This includes the risk of purchasing from third-party stores, downloading cracked versions of applications, and granting requests for intrusive permissions and privileges all increase risks to end users. Organizations should ensure that operating systems are up to date, helping to prevent against the exploitation of vulnerabilities by threat actors.
Mobile devices and applications have been described as the “new battleground” in digital risk and security. Therefore, all mobile users should benefit from knowing what threats are lurking over the horizon.