As malware continues to grow and change, the number and types of at-risk devices will do the same. Currently, malware oriented towards mobile devices is on the rise, with hackers focusing on smartphones and tablets. Ryan Olson, the director of threat intelligence at Palo Alto Networks, says that the targeted devices are changing, but hackers are still just looking to make money off of stolen data – and that they are being thwarted by continuing improvements in mobile security.
The Cipher Brief: How would you assess the threat to industry posed by mobile phone malware?
Ryan Olson: To understand the threat posed by mobile malware, it’s helpful to first take a step back and consider that attackers aren’t generally interested in compromising devices; they are interested in accessing data. E-mail addresses, passwords, personally identifiable information (PII), credit card numbers, your photos, location history – all of this is data which has value to different attackers. Mobile devices increasingly have access to larger amounts of this data and often even more than the computer sitting on your desk. For this reason alone, mobile devices are valuable targets for attackers of all stripes.
However, attackers are challenged by the fact that the major mobile operating systems remain significantly harder to infect in their default configurations than PCs. We have seen a rise in types of mobile malware as attackers work to claim this new territory, but thus far, these devices have not been a major cause of data breaches.
TCB: How has this threat changed over the last few years?
RO: Much of the research going into mobile malware has been on finding ways to evade the security controls that the operating system creators have put in place to prevent unauthorized Apps from running on their devices. In the last few years, we’ve seen a steady stream of weaknesses in these protections discovered, developed, and deployed in attacks. We detailed some of them in our reports on WireLurker, XCodeGhost and GunPoder.
TCB: What are the common goals of mobile phone malware (stealing information, extorting money, etc)?
RO: The vast majority of mobile malware is financially motivated, but we’ve identified multiple cases where surveillance was the goal. To make money, the malware often simply displays advertisements or sends premium SMS messages but can also play a role in more serious cyber fraud. SMS messages are used by many organizations to deliver token codes for step-up authentication or to authorize transactions, and some mobile malware is designed to capture and relay these messages to a waiting criminal. The “ransomware” criminal business model of holding a device or it’s data hostage for a payment is also present with mobile devices but not yet as prevalent as on Windows.
TCB: To what extent is this type of malware affected by broader trends in cybercrime?
RO: Financially motivated attackers are motivated to turn their resources into cash. One of the reasons for the massive rise in ransomware in the last few years is that attackers can monetize any PC infection by holding the user’s files for ransom. In contrast, stealing medical records and turning them into cash is a much bigger challenge for most criminals. Criminals are drawn to the best mechanisms to generate revenue, no matter what type of device they have compromised.
TCB: How do you see malware targeting mobile phones changing over the next 10 years?
RO: As mobile OS creators continue to push their platforms to be more secure, they will make it harder for attackers to infect phones or take malicious actions once they are infected. This will likely lead attackers to shift their tactics, as we saw with the XcodeGhost malware. Rather than targeting users and their phones, they could target developers of popular applications. If they can compromise the developer, they could inject their malware into legitimate applications to get a foothold inside the phone.
TCB: What factors will affect these changes and why?
RO: This shift is only required if phones remain hard (not impossible) to infect. That is true of all non-jailbroken iOS devices,and Android devices that only install Apps from well-maintained App stores like Google Play. China has a massive Android user base, but the Google Play Store is not yet available in the country, leading users to find alternative sources of Android Apps. Third party App stores are one of the major sources of malware for Android, and simply enabling installation of Apps from “Unknown sources” increases the likelihood of accidentally installing malware.
TCB: How does bring-your-own-device culture affect the threat to businesses from mobile phone malware?
RO: This comes back to the question of what we are trying to defend, devices or data. I’d argue that no matter which device (BYOD or otherwise) is accessing the data, the organization is responsible for protecting their data. Mobile malware is a factor in this decision but not necessarily a bigger one than the threat from stolen devices, passwords, or compromised e-mail accounts.
TCB: What can businesses do to better protect themselves?
RO: Businesses should develop a security architecture based on defending their data with the knowledge that it is spread across many types of devices and in public and private clouds. That architecture needs to enable users to work with the technology that will help them do their jobs effectively while allowing security teams to ensure their data remains safe. Mobile devices should be brought under the same umbrella of protection as PCs sitting on a desktop at headquarters or a salesperson’s laptop working out of a café.
