VisionSpace Blog

View Original

Mobile Security Threats

Juliane VerĂ­ssimo

As we have seen in our posts about Mobile Security Tips and Tips for organizations, the growth in mobile devices' popularity and its relative lack of security made them attractive targets for cybercriminals, increasing the number of cyber threats. Cyber attacks in mobile devices exploit vulnerabilities and rely on human error. 

Devices such as smartphones and personal digital assistants (PDAs) can access e-mails, calendars, contact information passwords, Internet, GPS navigation, and many other applications. An attack can expose important information as people use their devices to access and store sensitive data and for commercial transactions, such as purchases, redeem coupons and tickets, banking, processing payments, and even paying at cash registers.

Similar to individuals, companies are also targets of mobile attacks, as employees have access and sometimes are even required to use many apps. If a mobile device is hacked, all other devices connected to it can be too, as malware can spread from one device to another through the network. As a personal computer (PC) has vulnerabilities, mobile devices, legitimate software, and networks also do, and cybercriminals exploit those vulnerabilities, especially in easily overlooked areas. 

Types of Mobile Security Threats  

Mobile devices are easy to carry, use, and modify, making them susceptible to a range of attacks, such as application-based, web-based, network, and physical attacks. And many users still don't worry about security and don't enable the software to protect their devices.  

Application Based Attacks 

Data Leakage and Privacy  

Data leakage is one of the biggest security threats for mobiles. It is unauthorized access to data and happens without any attack taking place. Many apps require permission to access the microphone, camera, contacts, files and require personal information, such as credentials and credit card information. In many cases, mobile apps are responsible for unintentional data leakage. 

Legitimate programs that aren't designed to be malicious but present potential risks due to a security vulnerability, software incompatibility, or legal violations are called "riskware" or "grayware." They can be used for malicious purposes, as they are granted broad permissions without users checking security. Those are usually apps from official stores, performing as advertised but sending personal and corporate data to a remote server. The data can be collected by advertisers and sometimes cybercriminals. Those servers can be breached, compromising the data, which can be used for marketing purposes, and steal your identity.   

Malware programs can also be the cause of data leakage. It can also happen when transferring company files onto a public cloud storage service, pasting confidential information in the wrong place, or forwarding an e-mail to an unintended recipient. Data can be collected from voice, message, camera, location, or other applications.   

The following are examples of mobile data that attackers can monitor and intercept:   

  • Messaging (SMS and e-mail)  

  • Audio (Calls and open microphone recording)  

  • Video (Still and full-motion)  

  • Location  

  • Contact list  

  • Call history  

  • Browsing history  

  • Input  

  • Data files  

Broken Cryptography  

To speed up app development processes, developers sometimes use familiar encryption algorithms despite their known vulnerabilities, failing to implant strong encryption. These vulnerabilities can be explored by hackers to access your device and sensitive information. It can also happen that developers use secure algorithms but leave back doors open, limiting the effectiveness and allowing cybercriminals to modify high-level app functions.  

Improper Session Handling  

For allowing users to perform many activities without re-authenticating their identity, mobile devices use "tokens." They are generated by apps for each users' access attempt, or "session," and should remain confidential. Improper session handling happens when tokens are shared unintentionally with malicious actors, allowing users' impersonation. It generally occurs when a login session is left open, giving cybercriminals access to the website and other connected parts of the network.

Web-based Attacks 

Social Engineering and Phishing attacks  

Even though people might think social engineering cons are easily avoided, the practice remains effective. According to FireEye, 91% of the cybercrimes in 2018 started with an e-mail.   

  • Impersonation: Cybercriminals pretend to be a contact (person or brand) known by its target to access sensitive information. 

  • Phishing attacks: It happens when a cybercriminal tries to lure someone to give away sensitive information, click on a malicious link, or download malware. These attacks are more likely to be successful on mobile phones due to the small screen displaying less information, most of the time, only the sender's name. That makes it easy for spoof messages and people to believe the content is authentic, especially on notifications with one-tap options to open links and answer messages. Combined with people using their devices on the go, in a hurry, and while multitasking, without their full attention on the e-mail, increases the likelihood of a successful phishing attack. The increasing blur in the division of personal and work devices makes it more common to see private notifications among work-related ones, which increases the chances of an employee compromising the company data. 

    Phishing attacks can also happen in text messages apps, such as Facebook Messenger, WhatsApp, games, social media services, and phishing apps (fake apps that look like real ones and collect information sensitive information). It can also happen on SMS (SMiShing), voice calls (vishing).   

Cryptojacking attacks  

Cybercriminals can mine cryptocurrency from a device and use it for their gain. As it heavily relies on the attacked mobile device, it experiences poor battery life and could even suffer from damage due to overheating components. Apps, websites, and even ads can contain malware infecting a device to use the device's processing power to mine cryptocurrency. 

Drive-by Downloads: Adware, Malware, or Spyware   

A drive-by download attack happens when any malicious software is installed on a device without owners' consent. When visiting certain websites or open phishing e-mails, a drive-by download can automatically install a malicious file on your devices, such as adware, malware, spyware, or even a bot, which can use your phone to perform malicious tasks.  

  • Mobile Ad Fraud:  One of the most common of the several forms of ad fraud happens when an app offering a legitimate service runs on the background fraudulent clicks on legitimate ads that appear on the app, as it was legitimate users. Even though the primary victims are ad-supporter publishers and advertisers, the smartphone can have slower performance, the battery drained, and overheat; it can also incur higher data charges.  

  • Malicious Software - Malware: Some malware targets specifically mobile devices. It causes harm by using root privileges and allows cybercriminals to control all installed apps. It can be used to show ads to the user, send SMS messages, and access personal and business information, leading to financial loss. 

  • Virus / Trojan: This malware is inserted into an attractive application and can do several things depending on the cybercriminal intentions, such as hijack the device, mine information, gain access, and send text messages. 

  

  • Spyware or stalkerwares: Privately collects user's data based on internet usage for a third party. It also collects information about your location, contacts, and data that can be used for fraud and identity threats. 

  • Worm SMS: Worms are malware that can replicate themselves and don't require user interaction. They can be transmitted via SMS or MMS. 

  

  • Browser Exploits: As the name says, browser exploits take advantage of security flaws in mobile browsers and applications that function with browsers, such as PDF readers. Changes in the mobile browser's homepage or search page could sign a browser exploit attack. 

Network Attacks 

Unsecure Wi-Fi and Network Spoofing  

As we have mentioned in our former posts, the device's security depends on the safety of the network it is connected to; with constant use of public Wi-Fi networks, mobile devices are vulnerable to attacks.  

  • Man in the middle attack: cybercriminals can intercept the communication between device and router. The information transmitted over public Wi-Fi is generally not encrypted and can be easily intercepted by hackers, while carrier networks typically provide good encryption. 

  • Network Spoofing: hackers can create an unsecured network access point where people use free Wi-Fi, such as coffee shops, libraries, and airports. These networks are similar to a regular network and have common names, but they can be used to access your traffic and device and to phish for your login credentials. In some cases, it is required to create an account with a login and password. Many users have the same combination for multiple services, making it easier for cybercriminals to guess their access to other services, including banks. Unsecured public Wi-Fi networks can also be used to deliver malware.  

  

Cybercriminals can also gain access to sensitive information by Bluetooth and Cellular networks. 

Physical Attacks 

Physical Device Breaches  

A lost or unattended device, especially if it doesn't have a strong security lock and data encryption, can be a significant security risk, as it is a very appealing target to cybercriminals. Due to the transactional data and the applications logged into the device, a lost or stolen mobile can lead to privacy breaches.  

Consequences of a Mobile Attack   

Even though ignored by many users and considered less critical than PCs security, the consequences of attacks on mobile phones can be severe. Malicious software can send device information to attackers and perform other harmful tasks, giving access to the network to the device is connected. A device's attack can result in access to contact information, call histories, text messages, photos, GPS location, and even financial information stored on the device, usernames, and passwords. That could result not only in financial loss but in a data breach and the information becoming public.    

Our previous posts will help you to avoid those problems. 

For more in Cybersecurity, click here. Follow us on LinkedinTwitter, or Facebook to get our updates. 

Article written by Juliane Verissímo - Marketing Department of VisionSpace