Companies need to defend against the growing mobile threat

It’s no surprise that mobile attacks are surging, given the profusion of mobile devices and the propensity of cyber criminals to go where the action is—and also, where the vulnerabilities are. But the spread of mobile attacks into large-scale operations, including those run by adversarial nations, should create a sense of immediate urgency for companies to review their mobile device policies and implement improvements.

FBI Director Christopher Wray recently raised national security concerns about China’s influence over the video-sharing app TikTok, which is the most visited site in the world and is owned by Beijing-based tech giant ByteDance. Wray warned that the Chinese government can control TikTok’s recommendation algorithm, manipulate content on the video-sharing app for use in “influence operations,” and use TikTok user data as part of espionage campaigns against Americans, including government employees.

Concerns over TikTok, which have been building for several years, have prompted some lawmakers to propose banning the app, citing potential threats to users and the nation overall. The app, for example, can track users' locations and collect browsing data even from other websites people visit, allowing China to build profiles that could be used for blackmail or spying. China also could use data gathered from government employees to steal sensitive government information.

Mobile Hacks Becoming More Frequent and Severe

While the concerns about TikTok are noteworthy, the overall threat to mobile devices is, of course, far more widespread than just that one app. Mobile devices are pervasive, both in personal and business use. A Pew Research Center study in 2021 found that 85% of American adults owned a smartphone; if that number has changed since then, it’s only gone up. Criminal organizations and nation-states have a lot of opportunities to exploit mobile devices. Recent examples of the mobile threat include:

●      A blackmail campaign called MoneyMonger inserted malware into money-lending apps that were built with the Flutter software development kit. The malware, which was distributed via a third-party app store, uses several layers of social engineering to compromise users, steal information from their devices, and then use that information to blackmail them.

●       The Pegasus spyware, created by the Israeli company NSO Group, uses a new wrinkle: Zero-click attacks that download spyware or other malware even if a user doesn’t click on a link or take any other steps to interact with it. In some cases, the malware may have been distributed when people received a WhatsApp call, they didn’t answer. The company says Pegasus, which can be covertly installed on mobile devices running Android and iOS, is intended to aid governments in fighting criminal and terrorist groups, but it has also been used to monitor activists, journalists, political leaders and business executives.

●       A cyber mercenary group called Bahamut is using fake VPN apps to target Android users, in order to exfiltrate confidential data and spy on victims’ messaging.

●       The U.S. Army recently admitted that it has used a training app containing code written by a Russian company—which had gone to great lengths to pose as being U.S.-based. The app is no longer used, and likely wouldn’t have been approved today because of new rules about IT sourcing, but the incident underscores concern about whether some foreign IT components and software can be trusted. In November, the Biden administration banned new telecom equipment from China’s Huawei Technologies and ZTE over national security concerns.

Take Preventive Measures

Organizations and users need to become more aware of the hazards of downloading potentially malicious apps to mobile devices, especially if they have a BYOD policy. Make no mistake, implementing BYOD has many advantages—for one thing, Cisco estimates that companies with a comprehensive BYOD program can save $3,150 per employee per year—but it also comes with attendant risks.

Employees who use personal devices for business can also spend their spare time playing games, scrolling through social media, browsing the internet, messaging friends and so on, which can leave them vulnerable to compromised apps. Similarly, even organizations that don’t allow BYOD and instead purchase additional devices and data plans for all employees are still routinely forced to deal with employees using company phones for personal reasons, creating many of the same risks.

It’s important to be aware of the signs that a personal or company-owned phone might already have malware installed. Some of those indicators include:

●       The battery drains quickly.

●       More ads than usual pop up across all apps.

●       Additional apps the user didn’t download appear on the phone.

●       Unfamiliar app store or credit card charges appear on bills.

CISOs and HR departments, meanwhile, should be taking steps to strengthen their device security. Key steps include:

●       Incorporate and execute basic cybersecurity training, including how to recognize the signs of phishing and its variations, including the more targeted spear phishing and whaling, vishing (using voice calls) and smishing (SMS text messages).

 ●       Avoid third-party apps and restrict employee use of approved apps from a trusted provider.

●       Use complex passwords and multi-factor authentication; MFA has proved to be very effective in preventing credential-based attacks.

●       Use a password manager to ensure the use of effective passwords that are safely kept.

●       Use a secure network VPN.

●       Install a Mobile Threat Defense Solution

●       Configure a Mobile Application Management (MAM) solution to protect data in certain apps.

Or take the easier and more secure approach by developing a containerization solution that securely isolates corporate email, files and applications apart from personal data and applications on the same device.

An effective mobile security solution will allow an organization to control, secure and maintain all of its sensitive work-related information through policy enforcement on mobile devices, including smartphones, tablets, laptops and other endpoints. When using only company-owned devices companies can configure policies and push them out to managed devices, deploy or restrict and update applications, and optimize performance. They will also be able to enforce policies such as MFA and monitor behaviors and critical data for signs of compromise. But all of this comes with significant impacts on both budgets and resources needed to buy devices, data plans and expending resources to install and configure multiple solutions from multiple vendors while enforcing utilization policies to sometimes defiant employees.

The more cost-effective approach is using containerization to secure the enablement of BYOD. This offers the IT/Security teams the most secure way of protecting company data, customer information and corporate IP while also offering the employees the personal privacy they demand while using their devices for hours or for non-work purposes. The best containerization solutions will include email, secure browser, file share solutions, messaging, GPS location, camera/image and other applications all within one unified, single download container that encrypts the data on the device and while being sent/received to and from the device – all without requiring an intrusive MDM management profile be installed on the employee’s personal device.

As the proliferation of mobile devices continues, the threat against those devices will likely become even more serious. Companies need to take a hard look at their mobile device architecture and policies and focus on improving security for both employees and the enterprise. It’s an essential part of protecting against costly data breaches and ensuring continuity in business operations.