Endpoint/Device Security, Application security

Why You Need Security Tailor-Made for Mobile

Clever Letscall vishing malware targets Android phones

It's an undeniable truth that significant differences exist across many facets of life. Sports figures like LeBron James and Michael Jordan possess exceptional talent, which has propelled them to accomplish feats that defy human capability. Jeff Bezos and Elon Musk's extraordinary business achievements make them the epitome of success and a source of inspiration for many.

These examples underscore a crucial point: Some things are just better than others. And nowhere is this more evident than in the realm of mobile cybersecurity. With numerous vendors vying for the attention of IT security teams, each claiming to secure mobile devices, it's crucial to differentiate between the various approaches. This begins with understanding the unique nature of the mobile environment.

Several years back, Lookout conducted an analysis of mobile risks across multiple dimensions, including applications, devices, networks, and content. Our examination revealed substantial differences between traditional desktop and mobile environments, which we outlined in our "Spectrum of Mobile Risk" framework aimed at helping CISOs understand the diverse aspects of mobile security. The assessment underscored the need for an endpoint solution specifically tailored to meet the unique demands of the mobile environment. I'll outline some of these distinctive requirements below.

An App-Centric Future

Unlike conventional Windows desktop environments, the mobile world is “app-centric.” Mobile users spend 88% of their time on mobile apps and just 12% on mobile websites. Users can access a vast software landscape, selecting from over 3 million unique apps on Google Play with a comparable number on the Apple App Store.

Unfortunately, malicious and risky apps are often discovered lurking in these app stores, with some downloaded millions of times before being identified and removed. A notable example is BadBazaar, a family of mobile surveillance ware linked to the Chinese-backed hacking group APT15, flagged as malicious by Lookout. The app was used by Chinese authorities to track activities within the Tibetan and Uyghur communities that are considered indicative of religious extremism or separatism. It was published to the App Store as TibetOne and masqueraded as an app with content intended to appeal to Tibetan culture.

The Digital Markets Act (DMA), recent legislation from the European Union, adds another layer of complexity to the challenge of safeguarding against malicious apps on mobile devices. The new rule, intended to safeguard digital market competition, requires companies like Apple to allow “sideloading” of apps from alternative app stores or directly from the app's official website. In a recent white paper, Apple conceded that it will no longer be able to fully protect iOS users from cyber threats now that it must comply with the DMA.

While most IT departments restrict users from installing software on company-owned desktops and laptops, similar constraints are not always extended to mobile devices. Despite the availability of mobile device management (MDM) solutions that lock down mobile phones and tablets, a recent study by a prominent market research firm revealed that 69% of IT admins reported at least half of the devices on their network are unmanaged.

Unmanaged or "bring your own device" (BYOD) programs allow employees to use their personal devices to connect to their company's network and access potentially sensitive or confidential data. The danger posed by malicious code and the growing presence of unmanaged devices emphasize the need for a mobile threat defense (MTD) solution capable of identifying mobile app-based risks and taking remedial action in both managed and unmanaged environments. 

Risky Business

Preventing malicious apps from being downloaded is just one aspect of the challenge posed by mobile devices. Millions of seemingly harmless apps may not warrant blocking but exhibit risky behavior nonetheless. Many businesses would hesitate to use these apps if they were aware of their hidden behaviors that put sensitive corporate data at risk. For example, apps that either transfer data insecurely or store data locally without appropriate encryption should be identified and quarantined. 

A prime illustration of this is the extensively utilized social media platform TikTok, which has consistently surfaced in discussions regarding data privacy. In early 2020, Lookout’s analysis of the app revealed it was communicating with numerous IP addresses in China and Russia. While it’s difficult to ascertain the precise nature of the data that was being sent to these locations, we know that TikTok collects a plethora of data on the devices it’s installed on, such as device brand and model, operating system version, mobile carrier, browsing history, apps installed, file names, types, keystroke patterns or rhythms, wireless connections, and geolocation.

TikTok's own privacy policy describes collecting and analyzing user personally identifiable information (PII) and data gathered from other sources, which can include age, image, personal contacts, relationship status, preferences, and other data collected through a single sign-on (SSO) feature that allows users to sign into TikTok from other platforms. 

To analyze all apps and provide visibility to unsafe and unwanted behaviors, a mobile app reputation service (MARS) should be implemented. This gives IT admins visibility to set risk management policies, allowing them to permit or block apps based on their data collection and handling practices. It also serves as a compliance tool to address international regulatory requirements such as the General Data Protection Regulation (GDPR) and state legislation like the California Consumer Privacy Act (CCPA).

A Social Nightmare

Smishing, another problem unique to mobile, is a social engineering attack that uses fake mobile text messages to trick people into downloading malware, revealing credentials and other sensitive information, or sending money to cyber criminals. The term “smishing” is derived from the combination of “SMS,” or “short message service,” and “phishing.”

Like other types of phishing and social engineering, smishing attacks involve using fake stories to manipulate victims’ emotions and coerce them into carrying out the scammer's requests. For example, scammers might pose as the victim’s bank alerting them to a problem with their account through a fake notification. If the victim clicks the link, it brings them to a fake, look-alike website that steals sensitive financial information like PINs, login credentials, passwords, and bank account or credit card information. 

Two recent cyberattacks on prominent casino chains MGM Resorts and Caesars serve as clear and compelling examples of the dangers posed by social engineering attacks. The resorts were recently a target for a well-known cybercrime group Scattered Spider, also known as UNC3944. This financially motivated group has persistently used mobile-based social engineering and smishing campaigns to obtain credentials to gain access to victim organizations and steal sensitive data for extortion purposes.

MGM experienced disruptions across its various operations at hotels and gaming venues stretching from Las Vegas to Macau. Meanwhile, Caesars made headlines by paying a hefty $15 million ransom following a ransomware attack. The incidents not only caused operational disturbances but also resulted in both companies suffering a decline in market value due to falling stock prices.

To detect and prevent smishing attacks and prevent your organization from being the next target, it is advisable to implement a phishing and content protection (PCP) solution.

Don’t Be Vulnerable

Another prevalent issue in the mobile domain is vulnerability management. A software vulnerability is a defect (bug) in the operating system software. While these defects are commonplace, they become a security concern when attackers exploit them with malicious code that targets the defect to launch their attacks. Vulnerability management involves identifying, classifying, and mitigating these vulnerabilities through software patching. 

The common vulnerabilities and exposures (CVE) database, maintained by MITRE, serves as a repository of publicly disclosed vulnerabilities and exposures. The program’s primary purpose is to uniquely identify vulnerabilities and to associate specific versions of software codebases to those vulnerabilities. There are numerous vulnerability management solutions in the market that utilize the CVE database to streamline the process of identifying and resolving vulnerabilities. While the vulnerability management market for workstations and servers is addressed by numerous vendors (e.g., Qualys, Rapid7, Tenable), none have tailored their products for mobile operating systems such as iOS and Android, leaving this segment broadly exposed. 

However, both the Apple iOS and Google Android mobile operating systems are equally vulnerable to security flaws, much like any other software codebase. For example, last month Apple released a series of iOS updates to fix several security flaws, two of which were new zero-day security vulnerabilities possibly exploited in the wild. In a recent update for the Android OS, Google patched 28 vulnerabilities, one of which was rated critical for Android devices equipped with Qualcomm chips.

The Google Qualcomm vulnerability (CVE-2023-28582) and the Apple vulnerability (CVE-2024-23225) both entail memory corruption issues, a common target for attackers seeking to gain unauthorized access to sensitive data and execute code with heightened privileges.

The remediation measures for these vulnerabilities involve promptly updating the mobile operating systems to their latest versions. However, without a robust mobile vulnerability management (MVM) solution, it’s nearly impossible to keep track of the thousands of CVEs and correlate them to specific OS versions.

The Heavy Stuff

Combating file-based malware attacks at the device level is necessary but not sufficient in the face of sophisticated cybersecurity threats. This is where advanced endpoint security capabilities, such as mobile endpoint detection and response (mobile EDR) solutions, come into play. These solutions, powered by behavioral analysis and threat intelligence, are designed to identify irregularities and empower IT security staff to halt potential breaches. The value of a mobile EDR solution lies in its ability to provide proactive defense against evolving cyber threats, enhancing the enterprise’s overall security operations.

An effective mobile EDR solution must also be backed by a robust threat intelligence organization. This human element is dedicated to researching, classifying, and recording the tactics, techniques, and procedures (TTP) employed by modern cybersecurity threat actors. By collaborating with other security companies and sharing data and intelligence, this team is able to correlate mobile security research with similar intelligence from desktop, network, and server infrastructure. This comprehensive approach offers a holistic view of the "modern kill chain," empowering customers with the insights needed to proactively address potential threats.

Many large enterprise organizations maintain their own security operations center (SOC) to continuously monitor, prevent, detect, investigate, and respond to cyber threats. These teams can gain significant advantages from accessing threat data to proactively address threats before they inflict harm. Threat intelligence as a service, which encompasses comprehensive reports and API-based access to mobile threat data, helps enhance SOC capabilities, equipping them with the necessary data and insights to efficiently combat contemporary cyber threats.

Differences Matter 

Despite the vast differences between desktop and mobile environments, most endpoint security vendors implement a "one-size-fits-all" security strategy. But desktop and mobile are not the same — not even close. The unique nature of the mobile environment demands a purpose-built mobile endpoint solution that offers an integrated set of prevention, detection, and response services, including MTD, MARS, PCP, MVM, and mobile EDR. 

This is where Lookout Mobile Endpoint Security steps in. Lookout MES is a cloud-delivered security platform that provides protection, visibility, analytics, and control across both iOS and Android environments. Tailored to address the unique requirements of the mobile environment, Lookout MES extends comprehensive endpoint protection capabilities to mobile devices, eliminating the need for disparate products, additional integrations, and unnecessary complexity. And it works across both managed and unmanaged environments.

Today's workforce is more reliant than ever on mobile platforms to access business-critical apps, making mobile devices an increasingly popular attack surface for threat actors using tactics such as malicious apps, social engineering, and vulnerability exploits. Yet most IT security teams lack visibility into mobile threat activity, due to the inadequate, complex, and difficult nature of one-size-fits-all security solutions that fail to account for the multi-dimensional nature of the mobile threat landscape. 

An old carpenter's adage emphasizes the importance of employing "the right tool for the right job," and this rings particularly true when safeguarding your mobile workforce with Lookout.

Blog courtesy of Lookout. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Lookout news and guest blogs here.