As businesses slow down over the festive break, it’s a good time to look back over some of the mobile threats that emerged in the past year to better prepare for what’s ahead. Upon reflection, mobile security is clearly more important than ever. Today’s mobile devices are living in a hostile environment, where well-crafted and sophisticated attacks are on the rise. Here are four of the top mobile security lessons we’ve learned from 2016.
1. Hummingbad/Hummer: Malware Is Big Business
If the motivation behind why people create malware escapes you, look no further than Hummingbad. Simply put: malware is big business. With this attack, the device actively generates fraudulent ad-clicks and downloads, which in turn generate micro-payments for someone, somewhere.Scale that activity across millions of devices, and soon enough, a lucrative business takes shape. Perhaps we brought this one on ourselves by building the pay-per-click, freeware, ad-driven economy for all those “free” apps and games, instead of putting our hands in our pockets and actually purchasing the apps we really want and need. Nevertheless, Hummingbad and its variants did an effective job of draining our device batteries and data plans, hampering our productivity and compromising our privacy and security.
[Related: What You Need to Know about Hummingbad]
2. SMS Attacks
We continue to see malicious apps requesting access to SMS capabilities on Android devices. And many users simply grant access without understanding the risk. 2016 saw a very targeted version of this attack in Australia. An app specifically looked out for an SMS from a known bank with an activation code and then harvested the information.And then, just a few weeks, I opened up my News app and saw this headline: 700 million Android handsets may be secretly sending users’ texts to China every 72 hours. SMS harvesting is just as easy and popular than it ever was, folks.
Back in September, there was a mini watershed moment when the Pegasus news broke. It demonstrated the precision in which hackers work to execute targeted, sophisticated and weaponized mobile cyber attacks and bared some uncomfortable truths. In itself, this attack is very rare. The average user is unlikely to be subjected to it directly. Plus, by the time it hit the headlines, the vulnerability was patched.
What was so special? Pegasus was a weaponized toolkit that made use of three rare iOS vulnerabilities. One vulnerability of significance is rare, so having three in play at once is an unusual case. What could Pegasus do? If you’ve heard all those stories about smartphones listening into your calls or reading your messages and passwords, that’s what it could do.
Pegasus was by all accounts very sophisticated. It was built for surveillance, and the first rule of surveillance is to remain undetected for as long as possible. Cover your tracks and leave with no (or very little) trace when you are done, so your target remains oblivious. The designers of Pegasus kept this in mind when thinking about the more obvious or clumsy run-of-the-mill jailbreak techniques we’ve seen in the past. Still, with all its targeted sophistication and rare attributes, Pegasus made us think about what is possible. I can’t help feeling that a genie escaped from a bottle this year.
4. TAPS: The OMG Moment of Conflicting Human Ingenuity
Most people know security best practices, but don’t take the simple things seriously, such as passwords, security codes, tokens and all the things designed to bolster convenience and security. I couldn’t help being amazed at human ingenuity and simultaneously disheartened by TAPS: Touchscreen Sticker with Touch ID. It’s a sticker. You attach it to a glove, and it simulates a fingerprint so that you don’t have to take your glove off to unlock your most valuable, personal and precious device.
The technology behind Touch ID is incredible. It recognizes your fingerprint in a tenth of a second and makes purchasing an app quick but still secure. But in one fell swoop, TAPS undermines one of the most unique, personal and attached authentication mechanisms and throws it out of the window. Multiple factor authentication is extremely important. Always ensure there is more than one request for access to your device in case one is compromised. Even though Touch ID is available on most smartphones, biometrics are still a long way from becoming the primary way into our devices and for good reason.
What Can We Expect in 2017?
After another year or mobile threat evolution, there’s no sign of these threats stopping in 2017. It’s easy to see why malicious actors target mobile devices. Users store more information and access more services on smartphones and tablets than ever before. All that personal data is attractive to hackers and thieves. At the same time, device usage is increasing, and the amount of data is growing, too. Faster and more efficient cellular data access means we enjoying a revolutionary mobile experience that’s better than the last. Unfortunately, there are people who will exploit the technology.
Despite the prevalence of threats, we should still be excited for 2017 and the innovations that will hit the market to further this revolution. Security experts continue to develop and apply sophisticated technologies, such as machine learning, for mobile security to ensure businesses and end users can feel safe in today’s mobile world.
David leads Wandera’s product advocacy group, working with the company’s largest customers to develop and implement leading-edge solutions. A specialist in enterprise mobility, EMM, MDM, BYOD enablement and technology innovation, David started his career in technology over 25 years ago at the outset of the PC revolution. David has worked at some of the world’s most reputable technology companies, including Apple and VMware AirWatch, where he held various positions across multiple continents, including iOS Technical Specialist for EMEA and Innovation Director.
Because you liked this blog: