Mobile device security threats are on the rise. In 2014, Kaspersky detected almost 3.5 million pieces of malware on more than 1 million user devices. By 2017, Kaspersky’s in-lab detection technologies processing reached 360,000 malicious files per day. And 78% of those files were malware programs, meaning that over 280,000 malware files per day were detected—many of which target mobile devices. Here’s a look at the top seven mobile device threats and what the future holds.
Mobile apps are often the cause of unintentional data leakage. For example, “riskware” apps pose a real problem for mobile users who grant them broad permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers, and sometimes, by cybercriminals.
Data leakage can also happen through hostile enterprise-signed mobile apps. These mobile malware programs use distribution code native to popular mobile operating systems like iOS and Android to move valuable data across corporate networks without raising red flags.
To avoid these problems, only give apps the permissions that they absolutely need in order to properly function. And steer clear of any apps that asks for more than necessary. The September 2019 updates for Android and Apple iOS both added protocols to make users more aware of it and why apps collect users’ location data.
No one wants to burn through their cellular data when wireless hot spots are available—but free Wi-Fi networks are usually unsecured. According to V3, in fact, three British politicians who agreed to be part of a free wireless security experiment were easily hacked by technology experts. Their social media, PayPal and even their VoIP conversations were compromised. To be safe, use free Wi-Fi sparingly on your mobile device. And never use it to access confidential or personal services, like banking or credit card information.
Network spoofing is when hackers set up fake access points—connections that look like Wi-Fi networks, but are actually traps—in high-traffic public locations such as coffee shops, libraries and airports. Cybercriminals give the access points common names like “Free Airport Wi-Fi” or “Coffeehouse” to encourage users to connect.
In some cases, attackers require users to create an “account” to access these free services, complete with a password. Because many users employ the same email and password combination for multiple services, hackers are then able to compromise users’ email, e-commerce and other secure information. In addition to using caution when connecting to any free Wi-Fi, never provide personal information. And whenever you are asked to create a login, whether for Wi-Fi or any application, always create a unique password.
Because mobile devices are always powered-on, they are the front lines of most phishing attack. According to CSO, mobile users are more vulnerable because they are often monitor their email in real-time, opening and reading emails when they are received. Mobile device users are also more susceptible because email apps display less information to accommodate the smaller screen sizes. For example, even when opened, an email may only display the sender’s name unless you expand the header information bar. Never click on unfamiliar email links. And if the matter isn’t urgent, then let the response or action items wait until you’re at your computer.
Although many mobile users worry about malware sending data streams back to cybercriminals, there’s a key threat closer to home: Spyware. In many cases, it’s not malware from unknown attackers that users should be worried about, but rather spyware installed by spouses, coworkers or employers to keep track of their whereabouts and activity. Also known as stalkerware, many of these apps are designed to be loaded on the target’s device without their consent or knowledge. A comprehensive antivirus and malware detection suite should use specialized scanning techniques for this type of program, which requires slightly different handling than does other malware owing to how it gets onto your device and its purpose.
According to Infosec Institute training materials, broken cryptography can happen when app developers use weak encryption algorithms, or fail to properly implement strong encryption. In the first case, developers may use familiar encryption algorithms despite their known vulnerabilities to speed up the app development process. As a result, any motivated attacker can exploit the vulnerabilities to crack passwords and gain access. In the second example, developers use highly secure algorithms, but leave other “back doors” open that limit their effectiveness. For example, it may not be possible for hackers to crack the passwords, but if developers leave flaws in the code that allow attackers to modify high-level app functions—such as sending or receiving text messages—they may not need passwords to cause problems. Here, the onus is on developers and organizations to enforce encryption standards before apps are deployed.
To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Like passwords for users, tokens are generated by apps to identify and validate devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential. According to The Manifest, improper session handling occurs when apps unintentionally share session tokens, for example with malicious actors, allowing them to impersonate legitimate users. Often this is the result of a session that remains open after the user has navigated away from the app or website. For example, if you logged into a company intranet site from your tablet and neglected to log out when you finished the task, by remaining open, a cybercriminal would be free to explore the website and other connected parts of your employer’s network.
According to Harvard Business Review (HBR), despite becoming a preferred target for hackers, mobile security is not prioritized relative to network and computer security. Even within the mobile ecosystem, HBR reported that security spending was chronically underfunded relative to mobile app development. As our reliance on mobile devices grows, so does the value of data, and thus, the motivation for cybercriminals. In addition to the mobile security threats we’ve just discussed, be alert for new threats focused on the following three key impact areas:
Mobile device security threats are both increasing in number and evolving in scope. To protect devices and data, users must both understand common threat vectors and prepare for the next generation of malicious activity. A robust internet security solution should provide comprehensive coverage that extends beyond desktops and laptops, to protect mobile devices, IoT devices and other internet connection points. Furthermore, your personal network and devices need to be protecting during use when you are not at home.