Understanding app threats

App threats are specific applications created to steal information, damage a device, or provide unauthorized remote access for the purposes of surveillance and monitoring of a target.

Common examples include legitimate applications that have been trojanized or injected with malicious code, malware that gets on the device through exploitation or careless user permission, or abusive apps with masked intent.

Over the fourth quarter of 2016 and first quarter of 2017, 47 in 1,000 of Android enterprise devices protected by Lookout encountered app-based threats.

Understanding device threats

Device threats have significant potential to cause catastrophic data loss because they break through a device's app sandbox and embed themselves deep in the operating system to achieve heightened permissions for the attacker.

The Pegasus spyware is the most relevant example of a targeted, low prevalence, high impact threat. This device threat exists on both iOS and Android and is capable of activating a phone’s cameras and microphone to snoop on conversations around the device. It can also track a victim’s movements and steal messages from end-to-end encrypted chat clients.

Critically, Pegasus only requires a victim to visit a malicious web page and does not need the targeted individual to install an app to activate.

Looking at a subset of our active Android users over the past year, 1 in 100 devices encountered a rooting Trojan.

Understanding network threats

Network threats are specific attacks that occur over the network connection of a mobile device.

These attacks can be executed directly by human threat actors or through malware using automated means. For most mobile devices, these attacks would occur over Wi-Fi or the cellular network.

Attack examples include Man in the Middle (MitM) attacks, certificate impersonation, SSL/TLS stripping, and SSL/TLS cipher suite downgrades.

Over the last year, fewer than 10 in 1000 (.8%) enterprise devices encountered a man-in-the-middle threat.

Understanding web & content threats

Phishing attacks containing URLs that lead to malicious websites are significantly more likely to be tapped on a mobile device than they are to be clicked on a desktop PC.

Examples of web-based threats include malicious web pages that can cause downloads or directly exploit a device. Malicious URLs are most commonly delivered via phishing emails or SMS messages.

1 in 10 devices in our personal network have visited a phishing URL in the past year.

Understanding app vulnerabilities

Mobile apps have vulnerabilities just as PC software does, but vulnerabilities are a significantly bigger problem on mobile because most mobile apps are selected by end-users and are more likely to be built by small teams of developers. PC applications on the other hand, are more likely to be vetted by IT and developed by large software companies.

The significance of this risk is confirmed in the OWASP Mobile Top 10 report from 2016 which calls out, “Poor Code Quality” as one of the top ten risks, with a prevalence rating of “common.”

Examples of mobile app vulnerabilities can include errors in parsing code that allow maliciously formed input to cause remote code execution and takeover of the application.

Lookout Security Intelligence researchers have performed in-depth analysis on numerous popular Android and iOS business applications and identified a diverse range of vulnerabilities that would allow adversaries to compromise the information a user viewed in an app, the victim’s cloud service account, and all information tied to that account.

Understanding device vulnerabilities

Mobile device vulnerabilities are defined by the growing universe of known vulnerabilities. Every month both Google and Apple release a security bulletin detailing the increasing number of patches for new device vulnerabilities during the previous month. Nearly every "software update" notification contains security updates to patch new vulnerabilities.

Vulnerabilities that are not found first by the security community can lead to zero-days that are then exploited by professional espionage organizations like what the NSO Group did with the Trident vulnerabilities and Pegasus spyware originally discovered by Lookout.

Enterprises can measure risk from device vulnerabilities by tracking their “vulnerability window,” or amount of time it takes from the release of a new patch to full adoption of that update in their mobile fleet. Generally, mobility programs based on BYOD tend to have a longer window than COPE and Android-heavy device fleets are longer than iOS. For example, iOS 10 has reached over 90% adoption in just 8 months.

Across our personal network as of April 14, 2017:

Just 43% of our users have updated their iOS operating systems above 10.3.

Understanding network vulnerabilities

Mobile network vulnerabilities are based on exploitable software or hardware flaws/errors in the network interfaces of the device or its applications that make a mobile device vulnerable to a network. An example is the Heartbleed SSL vulnerability and OS network driver flaws that allow remote code execution.

In a recent talk from Black Hat Asia, researchers showed how to, "exploit an iOS device remotely via Wi-Fi without any user interaction, completely bypassing the iOS sandbox." Even more recently, Apple issued iOS patch 10.3.1 to correct a code execution flaw that could be exploited via Wi-Fi. This vulnerability could, "allow an attacker within range of a vulnerable device to exploit a stack buffer overflow flaw in iOS and would allow arbitrary code execution on the Wi-Fi."

The bottom line for enterprises is that there is a risk from mobile network vulnerabilities, primarily from public Wi-Fi (though is not a requirement for some exploits).

As of April 14th 2017, 57% of Lookout Personal iOS users do not have latest Wi-Fi patch (based on Personal iOS OS update numbers).

Understanding web & content vulnerabilities

The best way to understand web and content vulnerabilities is that any malformed content, including web pages, videos, and photos, can trigger specific vulnerabilities to exploit targeted application or OS/system level components to gain unauthorized access to a device.

The most widely known example is Stagefright, a web vulnerability exploited by an .MP3 or .MP4 video file to access the media processing libraries of Android that could lead to exploitation over any number of vectors such as MMS messaging or through arbitrary channels like file downloads over the web where various media files will be processed.

Another example is the web browser vulnerability in the case of Trident that exploited Safari in iOS to deliver the Pegasus spyware payload.

Mobile exploits also tend to rely on end users that are undereducated on mobile security to tap the malicious emails or MMS messages that exploit web vulnerabilities.

Another example is the web browser vulnerability in the case of Trident that exploited Safari in iOS to deliver the Pegasus spyware payload.

Understanding app behaviors & configurations

App behaviors and configurations have the potential to lead to leakage of enterprise data to which the insecure application has access. Data leakage, in addition to having a high impact to the enterprise itself, can also pose a significant regulatory compliance risk. Examples include applications that both access sensitive enterprise data and public cloud based storage services that are not under enterprise control, or applications that would have access to data with compliance requirements such as credit cards or records with personally identifiable information without adequate protections in their use, transmission, and storage.

of all apps access contacts across enterprise iOS devices protected by Lookout.

Understanding device behaviors & configurations

Risks from device behaviors and configurations can come from employees using jailbroken or rooted mobile devices or be as simple as not enabling a passcode on the device.

Other examples of device configuration risks include enabling USB debugging for Android, installing apps from non-official app stores, and certain options set by enterprise configuration profiles on iOS.

1 in 1000 of our enterprise protected iOS devices are jailbroken.

5 in 1000 of our enterprise protected Android devices are rooted.

Understanding network behaviors & configurations

Network risks associated with behaviors and configurations are best highlighted by the example of employees using public Wi-Fi. The more "promiscuous" end-users are with connecting to public Wi-Fi, the greater the risk to enterprise data. Taking advantage of "free" Wi-Fi in airports, hotels, or coffee shops, can easily lead to a connection to non-SSL websites, which means, for example, not being encrypted when logging into mobile banking.

Traveling employees may be rushing and may never know if they connect to a malicious Wi-Fi network, unknown captive portal, or a network that decrypts traffic for content filtering.

As with many of the mobile spectrum of risk components, users not being aware and not taking proper care of how they use mobile devices can lead to significant enterprise data leakage.

According to LinkNYC data, between February 2016 and February 2017, 1,256,450 unique devices connected to the city’s free Wi-Fi network, approximately one for every seven New Yorkers.

Understanding web & content behaviors & configurations

Risks linked to behaviors and configurations around web and content can be summed up by an action enterprise employees do regularly: opening email attachments from unknown people or clicking links in SMS messages or other messaging apps.

Those attachments and messages may contain any type of content, but tend to be media files that - when accessed - expose the organization to unacceptable risk with the potential to exploit a vulnerability or endanger compliance.

The most common examples include visiting websites that don’t encrypt credentials, or leak enterprise data.