Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Protecting Users and Enterprises from the Mobile Malware Threat - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Protecting Users and Enterprises from the Mobile Malware Threat

With recent news of mobile malicious adware that "roots" smartphones, attention is again being paid to mobile security and the malware threat that is posed to it. While mobile ransomware is also a pervasive and growing threat, there are mobile RATs (such as JSocket and OmniRAT) that are also able to take full remote control of mobile devices.  Some of the functionality of those tolls includes the ability to use the microphone to listen in on victims and to view whatever is in front of the camera while the unsuspected victims goes about their day.

It's important to realize that mobile malware, in essence, is just a question of apps.  Even in the adware "rooting" apps above, it all still begins with installing an application which means there are some defined ways users and enterprises can protect themselves.  The other danger is that most of the time, these devices are on the cellular network so they operate outside all of the network protective technologies an enterprise has to detect, if not prevent, compromise.  Here is a quick list of what users and enterprises can do. 

For users:

  • Never install applications outside of the mobile "app" stores (i.e. Google Play, Apple's App Store)
  • Ensure that smartphones are set to NOT install apps from unverified sources
  • Do NOT root/jailbreak your phones as this removes a great deal of the security features
  • Observe what permissions applications are requesting on install and reject those that want the Christmas Tree list of permissions (i.e. all of them)
  • Install a mobile anti-malware solution of your choosing

For enterprises:

  • For phones under your control, ensure all the above are set and are unmodifiable by the end-user
  • Provide users in sensitive positions a corporate provided phone so that you can do the above and restrict sensitive information to the corporate phone
  • Provide a BYOD network for personal mobile devices and monitor that network for indicators of compromise and respond accordingly.  Encourage users to use that network.

What else would you add to this list?

--
John Bambenek
bambenek\at\ gmail /dot/ com
Fidelis Cybersecurity

John

239 Posts
ISC Handler
This underscores the necessity of 2FA. If even (especially?) an employee's personal mobile device can get p0wned, then the corporate credentials may be up for grabs.

2FA helps limit this scope--the attacker may have email access, but not VDI/remote. This could be improved, but enterprise apps have not caught up with the rest of the ecosystem. Many 2FA implementations geared toward the non-enterprise space let the individual assign a generated application-specific password to their device. It only works on that one device while requiring 2FA elsewhere.

I’m unaware of any enterprise equivalent.
Anonymous

Posts
Your 'security hints' are really, really misleading. Particularly your hint not to root the smartphone will increase security only in such cases, that the smartphone is safe and security hardened from the condition as supplied to customer on.

The standard for smartphones, at least under android is, that they come with an obsolete operation system, that they come with rarely useful, but often buggy and insecure-by-design Apps, that these Apps can't be uninstalled by the user, and that the phone will see security updates rarely (if any).

I don't talk about phones from obscure producers or providers, but from companies with 'high' reputation as, e. g., Samsung or Deutsche Telekom.

The first step to harden such a phone is to root it. And than install a fresh, well maintained operating system like e. g. CyanogenMod.

Also your hint to 'never install applications outside of the mobile "app" stores' is misleading. To be able to install from Googles appstore, you must install several services on your phone, which deeply integrate with the operating system. Even if I can't name current bugs in these services, from a security point of view services with such a behaviour should be avoided as far as possible.

I personally have higher trust to the apps from F-Droid than to the Google appstore - and to install from F-Droid there is no need to exploit my privacy and endanger my smartphones security by installing any os-integrated services.

And that 'mobile anti-malware solution'... Can you name any such 'solution', which has any security advantage over not installing such snakeoil?
Anonymous

Posts
Your suggestions are great for an organization that has only experts who own and use their 'smart phones', however that is rarely the case now. People won't take their device that they use for personal communication and 'improve' it by installing some source which they have no direct support available. IMO - Not gonna happen nor should it.
TexISO

19 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!