Protecting Users and Enterprises from the Mobile Malware Threat
With recent news of mobile malicious adware that "roots" smartphones, attention is again being paid to mobile security and the malware threat that is posed to it. While mobile ransomware is also a pervasive and growing threat, there are mobile RATs (such as JSocket and OmniRAT) that are also able to take full remote control of mobile devices. Some of the functionality of those tolls includes the ability to use the microphone to listen in on victims and to view whatever is in front of the camera while the unsuspected victims goes about their day.
It's important to realize that mobile malware, in essence, is just a question of apps. Even in the adware "rooting" apps above, it all still begins with installing an application which means there are some defined ways users and enterprises can protect themselves. The other danger is that most of the time, these devices are on the cellular network so they operate outside all of the network protective technologies an enterprise has to detect, if not prevent, compromise. Here is a quick list of what users and enterprises can do.
For users:
- Never install applications outside of the mobile "app" stores (i.e. Google Play, Apple's App Store)
- Ensure that smartphones are set to NOT install apps from unverified sources
- Do NOT root/jailbreak your phones as this removes a great deal of the security features
- Observe what permissions applications are requesting on install and reject those that want the Christmas Tree list of permissions (i.e. all of them)
- Install a mobile anti-malware solution of your choosing
For enterprises:
- For phones under your control, ensure all the above are set and are unmodifiable by the end-user
- Provide users in sensitive positions a corporate provided phone so that you can do the above and restrict sensitive information to the corporate phone
- Provide a BYOD network for personal mobile devices and monitor that network for indicators of compromise and respond accordingly. Encourage users to use that network.
What else would you add to this list?
--
John Bambenek
bambenek\at\ gmail /dot/ com
Fidelis Cybersecurity
Comments
2FA helps limit this scope--the attacker may have email access, but not VDI/remote. This could be improved, but enterprise apps have not caught up with the rest of the ecosystem. Many 2FA implementations geared toward the non-enterprise space let the individual assign a generated application-specific password to their device. It only works on that one device while requiring 2FA elsewhere.
I’m unaware of any enterprise equivalent.
Anonymous
Nov 9th 2015
8 years ago
The standard for smartphones, at least under android is, that they come with an obsolete operation system, that they come with rarely useful, but often buggy and insecure-by-design Apps, that these Apps can't be uninstalled by the user, and that the phone will see security updates rarely (if any).
I don't talk about phones from obscure producers or providers, but from companies with 'high' reputation as, e. g., Samsung or Deutsche Telekom.
The first step to harden such a phone is to root it. And than install a fresh, well maintained operating system like e. g. CyanogenMod.
Also your hint to 'never install applications outside of the mobile "app" stores' is misleading. To be able to install from Googles appstore, you must install several services on your phone, which deeply integrate with the operating system. Even if I can't name current bugs in these services, from a security point of view services with such a behaviour should be avoided as far as possible.
I personally have higher trust to the apps from F-Droid than to the Google appstore - and to install from F-Droid there is no need to exploit my privacy and endanger my smartphones security by installing any os-integrated services.
And that 'mobile anti-malware solution'... Can you name any such 'solution', which has any security advantage over not installing such snakeoil?
Anonymous
Nov 10th 2015
8 years ago
Anonymous
Nov 10th 2015
8 years ago