The result is a wide variety of known and emerging threats revolving around mobile devices. For reference, if you're a digital banking user, you are most likely to become a fraud victim if you use a mobile device. Desktop users, on the other hand, are exposing themselves to a significantly lower fraud risk (Moonstone).
Another challenge regarding mobile is their connectivity to other services and devices. Once a smartphone is compromised, any other device or service connected to that particular mobile device is at risk.
With that in mind, let's explore the top mobile security threats and prevention best practices.
Mobile security threats are packaged in all shapes and sizes. Despite the versatility of the threats, there are four main types of mobile security threats to look out for.
Mobile applications are among the top reasons why mobile is proving to be vulnerable to an array of mobile security threats. Imitation apps placed on third-party app stores; copying the look and feel of legitimate mobile applications; commonly contain spyware that has the ability to skim the mobile device and retrieve data into the hands of a hacker. Poor security measures implemented during the application's development are also an issue. One of the main reasons why threats in this category cause the most damage is that the unsuspecting user is unaware of the attack.
These types of threats refer to a lost or stolen mobile device. Avoiding any kind of security measure in the form of pin or biometrics makes it even easier for the bad actor to access your private data. Direct access to mobile hardware poses a huge risk for both private users and enterprises integrating mobile into their operations.
The use of public Wi-Fi networks is particularly dangerous because of well know Man-in-the-Middle (MitM) attacks. In combination with poor or no end-to-end encryption at all, data stored in the mobile device is at serious risk. Network spoofing, or fake Wi-Fi set up by hackers, lures users into submitting their credentials, including usernames and passwords. This opens up doors for targeting personal accounts and causing even more damage.
Web-based attacks targeting mobile are usually in the form of phishing emails and spoofing. Phishing scams commonly involve emails or instant messages containing malicious attachments or links. They prompt the user to create an account and submit their personal information. The bad actor is then equipped with more than enough information to cause further damage through unauthorized access and, in some cases, identity theft.
Apps with unencrypted data such as sensitive information and credit card details pose a security liability in the mobile ecosystem. Most apps are not developed with security top of mind. The pressure on faster time to market in order to launch the new shiny mobile app results in overlooked security practices. Attacks, including emulator fraud, debuggers, and jailbreaking/rooting, can be prevented by implementing RASP mechanism, which secures your app from the inside. To find out more, check out App Protector – a solution by ASEE that covers mobile application security threats.
Following our list of top mobile security threats are malicious apps. Often designed with the help of reverse engineering, malicious apps usually offer deals that are too good to be true. The other option is to mimic the look and feel of legitimate apps that have a large following. Instead of getting a good deal, users end up downloading a virus capable of locking down their phones and skimming the data on the device. To prevent such attacks, make sure to download apps from known app stores and check out the review section for extra caution.
IoT devices are notorious for their security flaws due to loose regulation regarding the secure by design principle. Such devices connect to your smartphone, either by Wi-Fi or Bluetooth, leaving a couple of doors open for the bad actors to attack. Any device connected to your system leaves the entire network at risk.
Among the top mobile security threats are phishing scams. Phishing is the root cause of most of today's attacks. The majority of attacks start with a simple email containing a malicious link. The reason why mobile devices are vulnerable to phishing scams is the variety of channels distributing the malware. We're talking email, SMS, instant messaging platforms, malicious ads, social media – the list goes on.
Spyware is usually triggered by clicking on a malicious link or an ad. What follows is; the spyware scans the mobile device for sensitive data, user credentials, and any type of information that is useful to the designer of the attack to cause further damage.
Madware, short for mobile adware, is a script that skims your phone for internet usage and interests. Why? This information is later sold to advertising companies that target you with relevant ads. The problem is, all of this is happening backstage, without your permission. An even bigger problem is the fact that within the skimmed data, you can find your exact location, contacts list, in some cases, entire galleries and notes stored on your mobile device.
Another top mobile security threat is mobile ransomware - a twist on the regular malicious links. A mobile ransomware attack is based on encrypting the files on your mobile phone and asking the owner to make a payment in order for the files to be unlocked. These types of attacks usually target companies through unsuspecting users, i.e., the employees.
An honorable mention on our top mobile security threats list goes to grayware apps. To describe grayware apps as dangerous would be an overstatement. However, troublesome fits the box. Grayware apps can contain spyware and adware but are mostly used to play tricks on users by showering them with pop-ups or endless redirections. As said, not particularly dangerous, but it's good to keep an eye on these as well.
Social engineering attacks mostly rely on the beforementioned phishing scams. Hackers send out an email, or an instant message, containing a malicious link or ask the personnel for their user credentials. The message usually involves deals that are too good to say no to, urgent matters requiring quick action from the receiver; most likely requiring access to an account or the user's personal/financial information, etc.
Jailbreaking and rooting a device means overtaking the administrator rights on iOS and Android smartphones. These attacks are based on exploiting the OS vulnerabilities and gaining insight into data due to increased permissions enabled by rooting/jailbreaking. Some users prefer their devices to be rooted/jailbroken, so they have more freedom with their mobile devices. Common reasons are installing apps from third-party app stores and uninstalling default apps.
Known vulnerabilities are addressed through OS updates which require keeping the device up to date. The bad news is that only 21% of these updates happen automatically. The other 79% is in the hand of employees. By overlooking system updates, users are working with versions that contain known flaws and are making themselves an easy target for the attacker.
Improper session handling is yet another top mobile security threat happening in cases when apps unintentionally share session tokens. In case a session token comes into the hands of a bad actor, he is free to impersonate a legitimate user of the application. This is caused by leaving the session open after use without logging out. If we take the company intranet as an example, the attacker would be handed free access to the company's network and all of its connected parts.
Today's enterprises face a huge threat in the form of mobile applications. The average smartphone user has around 80 apps installed on their mobile device. Some personal, others for business. The threats landscape around mobile applications is enormous due to poor implementation of basic security measures. The most innocent actions, such as allowing access to the device's gallery, are causing data breaches, costing companies a fortune. Ask yourself; with how much detail do you approach application permissions and terms of conditions?
Browser exploits operate on known vulnerabilities present in your mobile browser and take advantage of them. If you notice any type of change of the look of your mobile browser, you might be among the victims of a browser exploit attack.
Broken cryptography and encryption gaps leave data flows unprotected and, therefore, vulnerable to attacks. Think of it as a leaking hose that, instead of water, leaks potentially sensitive and confidential information. Information shared between mobile devices and enterprise systems could be targeted by hackers, leaving your company at risk.
Man-in-the-Middle attacks include network interception followed by either altering the data in transfer or eavesdropping. Mobile devices are especially vulnerable to these kinds of attacks because hackers can easily intercept SMS communication due to no security protocol around them. Also, mobile applications using unencrypted HTTP for transferring sensitive information also pose a great risk.
The remote mode of work allows for a great amount of flexibility – and if not offered, it can be a deal-breaker for some exceptional talent you want in your company. However, work from home sometimes moves to cafes and Airbnbs with no insight into how the connection is set-up or if someone is monitoring it. A hacker can easily set up a free public Wi-Fi network for the sole purpose of conducting Man-in-the-Middle attacks and harvesting personal and company data.
Drive-by downloads refer to installation of malware on your mobile device without your permission. By visiting a suspicious site or simply opening the wrong email, the installation automatically triggers. Within the installed file, you can find anything from the beforementioned spyware, adware, or malware. The situation gets more serious in case the file contains a bot that is able to perform malicious tasks from your phone.
Recycled passwords are a common thing among the average user. With so many services and devices to log into on a daily basis, we tend to go for the easy option and use the same password for pretty much everything. What's even more concerning, in an effort to memorize them easily, users often decide on common passwords. This includes their birthday, pets name, favorite sports club – which are all easily cracked. From a business perspective, employees use smartphones to access both work and personal accounts, endangering not only the user but the entire company.
Gaining access to device hardware makes the job of a hacker exceptionally easy. With remote work possibilities, people are more and more inclined to do their jobs connected to public Wi-Fi. In addition, leaving the device unattended, or simply losing the device, poses a serious threat. With this in mind, it's the responsibility of the company to ensure an additional layer of protection in the form of VPN and 2FA. This goes hand in hand with communicating the importance of utilizing these services in an effort to mitigate attack risks.
In terms of the mobile security threats landscape, mobile applications make up a significant part. With reverse engineering used as a malicious practice, end users are exposed to mobile app attacks more than ever before. A smartphone with an installed malicious app, or an app carrying malware and spyware, is a threat to all services and devices connected to that particular mobile device. Some common mobile app attacks include jailbreaking/rooting, emulator fraud, debuggers, screen recording (iOS), and hooking.
To prevent and detect mobile security threats in real-time, App Protector integrates with your application and protects it from the inside. In case the mobile application is exhibiting unusual behavior, the built-in SDK protects the application according to the set configuration.
In case you're curious, feel free to contact us or download the datasheet - zero obligation. Our ASEE team will be happy to hear you out.