Mobiles top target of nation state surveillance

Nation states are targeting individual mobile users for intelligence gathering and disruption of rivals as security on mobile devices lags behind traditional computing, a report reveals

Cyber threat groups operating from China, Russia, North Korea and Pakistan, and widespread political activist groups are increasingly targeting mobile devices, a report shows.

Mobile malware running on the Android operating system is most prevalent, driven by the ease of installing new applications from third-party sources, according to the latest mobile malware threat report by cyber security firm CrowdStrike.

Cyber attackers are using the experience they have developed over years of compromising desktop computers, and now are applying it to mobile platforms, the report said, noting that the fact that mobile security is still lagging behind traditional platforms is leading to longer potential attacker dwell times on compromised mobile devices and greater access to sensitive data.

“While desktop computing has benefited from years of development in commercial and open-source malware research and detection, the current state of defensive technology in the mobile space is less mature. Although mobile malware is researched by the security community, detection methodologies that can be employed by the user – such as antivirus monitoring – are currently more limited in comparison,” the report said.

In addition, the report notes that the targeting of mobile platforms is increasingly being adopted by a broad range of criminal and targeted adversary groups.

While some state-aligned actors may seek to establish long-term persistence on a device to gather intelligence on a target over a period of time, the report said criminally minded groups develop malware to intercept banking credentials to provide a quick route to financial gain.

CrowdStrike researchers predict that malware targeting mobile banking is likely to remain prolific due to the popularity of mobile banking and support from an underground industry of developers operating mobile malware-as-a-service subscription models to complement their desktop offerings.

The latest versions of banking malware, the report said, have been found to be using increasingly sophisticated techniques to capture legitimate user credentials to take over accounts and two-factor authentication tokens to bypass security measures.

As with other classes of criminal malware, the report said the concept of ransomware has been replicated in the mobile environment.

While some mobile ransomware families attempt a file encryption process similar to desktop versions, it is more common for mobile ransomware authors to “lock” the device until the victim has paid for an access code.

Mobile ransomware is often distributed through dropper Trojans that can be used to package up standard ransomware code in large numbers of malicious application files uploaded to app stores in to infect the maximum number of victims. This makes detection via traditional antivirus mechanisms more challenging, the reports said, because these files need to be inspected thoroughly to determine their true purpose.

In general, the report said remote access Trojans (RATs) represent the most comprehensive threat to mobile devices due to their broad functionality and extensibility.

Read more about mobile malware

RATs typically enable extensive access to data from infected victim devices and are often used for intelligence collection, the report said, noting that the data that is retrievable using mobile RATs often exceeds the fidelity that could be obtained using traditional RATs targeting desktop computers.

This is primarily due to the easy access to hardware that is standard on most modern mobile devices, such as microphones, cameras, and GPS (global positioning system) chipsets.

The report highlights phishing-enabled distribution as a popular method for coercing users into installing malicious applications by sending them links to Android Package Kit (APK) files hosted on attacker-controlled websites by text or email.

This method has been used by operators of the banking Trojan Exobot to distribute links to the fake mobile banking app that enables credential stealing on infected devices, while a new version of the MoqHao malware was recently distributed using text spam messages, the report said.

Android users were prompted to install a malicious APK from an actor-controlled website. The malware then harvested information by collecting text messages and audio.

A different approach was used for iOS devices that allow applications to be installed only from the official Apple App Store. Instead of deploying malware to the device, the users were shown a phishing page that profiled their devices and attempted to obtain Apple ID credentials.

An ever-increasing scrutiny of desktop machines by security products, the report said, is likely to lead to further investment in the development of mobile RATs, particularly by targeted threat actors who seek to maintain access to their victims for extended periods of time.

Consequently, CrowdStrike researchers expect to see further porting of traditional targeted malware families to mobile platforms to aid the intelligence-gathering process, particularly by actors who require tracking their victim’s physical location via GPS telemetry, or who focus on specific geographic regions.

State actors are also expected to invest in the creation of mobile malware in the face of increased adoption of encrypted network communications across email, web, and messaging services.

CrowdStrike recommendations for securing mobile devices connecting to sensitive corporate data:

  • Download applications only from trusted sources such as official app stores because the majority of mobile malware is distributed from third-party sources that do not perform comprehensive checks of the applications they provide.
  • Use vigilance for phishing messages via text and email that prompt recipients to install applications from untrusted sources.
  • Apply security patches regularly to mobile operating systems and installed applications because flaws in operating system software can be exploited by malicious actors to install mobile malware and escalate operating privileges to obtain greater access to data and capabilities on the device.
  • Establish security around solid mobile device management (MDM) processes that provide protection against mobile malware by restricting which applications can be installed, and allowing for the automatic deployment of security patches.
  • Evaluate mobile endpoint detection and response systems to eliminate blind spots that lead to breaches.

Read more on Hackers and cybercrime prevention