Watershed Moment: Smartphones Targeted by Drive-by Malware

Image result for Malware on Cell Phones

Cyber “Events” that Shape History

Only a few events in the history of “Cyber” and “Security” cause security professionals sit back, meditate, and try to understand the implications of that event.  The earliest such event CyberHoot recalls reading about was the “Morris Worm” which spread across the early internet way back in 1988. Its author was subsequently convicted under the newly passed Computer Fraud and Abuse act of 1986. We can thank the Morris Worm for spurring the Defense Advanced Research Projects Agency (DARPA) to create the Computer Emergency Response Team tasked with coordinating emergency responses activities to critical computing events.

Since then multiple “events” have occurred which directly influenced Cybersecurity programs, protection technologies, and procedures.  The ILOVEYOU virus (2000) and “SQL Slammer Worm (2003)” both taught us about network segmentation and the importance of limiting ports and protocols passing across our internal networks.  Fast forward to 2017 and “WannaCry Ransomware” reminded us on the need for strong backup and restore capabilities.

When Malware targets Mobile…

A recent revelation has CyberHoot wondering if 2019 will be the year we look back and say: “That was the year Smartphones became vectors for wide-spread worms, viruses, and data theft.”  Until this moment, smartphone hacking cost millions of dollars and was limited to nation state sponsored attacks. That is no longer true and the extent of how “untrue” this is seems like a watershed moment in cybersecurity.

Security researcher Ian Beer, from Google’s Project Zero whitehat hacking team published evidence of widespread smartphone hacking that successfully installed malicious software on Android and iOS smartphones.  Googles researchers showed that by exploiting a series of vulnerabilities together (something the call chaining) hackers could install anything they wanted on your devices, just by visiting their malicious websites. Worse yet, this appears to have gone on for two years without being discovered. Sobering, isn’t it?

What does Cyber Al from CyberHoot suggest you do about this development?  Let’s dive into some suggestions we’ve collected from various articles covering this noteworthy development.

10 Protection Tips for Smartphone Users:

  1. A mobile device is a computer. Do not install any App or Game onto the device unless you absolutely need it. Even then, limit the permissions you give each app.  Does the Facebook really need access to your Microphone?
  2. Always consider how you connect to the Internet on mobile devices.  Be highly suspicious of Free or Public WiFi which is very insecure.  Companies should enforce Acceptable Use Policies requiring the use of Virtual Private Network (VPN) technology on all mobile devices and combine it with two-factor authentication.
  3. Establish and enforce Bring-Your-Own-Device (BYOD) policies at work.  Personal devices are everywhere, but they should never be allowed on your Trusted business networks; that is what guest WiFi was created for.
  4. Block Jail Broken iPhones and rooted Android phones from accessing trusted networks and corporate data including online email services.
  5. Keep mobile device operating systems up to date.  The latest iPhone software 12.1.4 is not at risk to chaining vulnerabilities identifiedy by Ian Beer of Google.  However, given the two-years of dwell time, you can be certain other vulnerabilities have been discovered and are exploiting our phones.
  6. Encrypt your mobile devices and data stores (USB sticks).  All iOS and Android operating systems automatically encrypt their file systems for at least that last 7 years.
  7. Enforce Mobile Device Management policies with solid management tools available from Microsoft, AirWatch, Good Mobile and many other vendors.  You must be able to selectively wipe corporate data of loss or stolen devices.
  8. Install Applications only from Trusted Vendors.  Consider building an Enterprise Store of vetted and approved smartphone applications (this tip is for Large Enterprises with highly mature Cyber Programs).
  9. Provide Cloud-Storage Alternatives for your employees who will use any service that is convenient and free without a second thought.
  10. Install Anti-Malware on your Android device (Sophos has a product).  iOS and BlackBerry do not allow for any such products to be used today.
  11. BONUS: reboot your iOS device periodically.  These chained vulnerabilities did not survive a reboot of the smartphone device. iPhone, please meet Windows 95 where a reboots was the solution to so many problems.  iPhone Reboots, really???

How should we think about and use our Smartphones?

Google’s security researcher Ian Beer writes. “All that users can do is be conscious of the fact that mass exploitation exists and behave accordingly; treat their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

We’ve entered a new era, where our beloved smartphones can be infected just by visiting malicious websites.  Think before you surf the Internet willy-nilly on a trusted corporate devices containing Intellectual Property or Regulated Data. Maybe don’t visit that website!

Call to Action

If your worried about the cybersecurity of your company and want to do something concrete and meaningful to protect it, then visit CyberHoot.com today and sign up for a free 30-day trial.  Email Sales@CyberHoot.com for information and assistance with any questions.

Leave a Reply

Your email address will not be published. Required fields are marked *