eLearnSecurity Blog

Mobile Application Malware: Threat to Companies

With the rise of smartphone usage globally, so are the number of hackers growing who find ways to penetrate and gain access to confidential information stored into these mobile devices. Bank accounts, photos, and passwords, to name a few, are easily accessible once the malware has infiltrated the mobile device. Companies should beware.

“If employees use their phone for both work and private use, once they download applications containing malware, the sensitive information is already at risk.” Francesco Stillavato, IT Security Researcher and Instructor, said. “Employees that connect their smartphones to their computer network to transfer documents exposes the malware to the whole company network which can produce catastrophic results.”

Malware Disguising as Mobile Apps

android-fake-id

Android Malware photo from Bluebox

Recently, the Fake ID malware ran a risk of hacking financial and personal data of users on Android mobile systems by impersonating as trusted applications without any user notification. Bluebox, a mobile security company, discovered this security hole and reported it to Google. A patch has been issued and distributed, but it’s alarming to know that this Fake ID vulnerability dates back to 2010 when Google came out with its Android 2.1 mobile operating system.

Another Android malware, SandroRAT, is disguised as a free anti-virus security mobile app. This malware is delivered via phishing emails acting as a banking company requesting unsuspecting recipients to download the FREE anti-virus program. The malicious code could easily steal your contact lists, browser history which includes banking sites opened and GPS location stored. 

The most used technique to gain access is to create fake applications and upload them on a mobile platform store, such as Google Play or Apple store. Once downloaded, the application tries to gather as much information as it can and grant remote access to the attacker.

On the other side, attackers may also exploit vulnerabilities in applications such as the mobile web browser. This is something that we have already seen on desktop environments.

We should not underestimate that mobile devices are very susceptible to loss or theft. Attackers that can get their hands on the device, have access to almost all our information.

MDM and BYOD

When talking about mobile security in a company, there are two terms you may have probably heard: MDM (Mobile Device Management) and BYOD (Bring Your Own Device).

MDM refers to software, configuration or applications that give management control over mobile devices. This allows the company to remotely wipe or lock the device. BYOD, on the other hand, refers to policies that permit or restrict the use of mobile devices in the company workplace.

A company can protect itself by implementing secure configurations, such as Network Access Control, VPN and so on. On top of this, it is very important for a company to educate their personnel through security awareness trainings and constant reminders about information safety in the workplace.

Mobile Security Guidelines

Most of the security guidelines used in the desktop environment still apply to mobile platforms. There are many resources available online such as courses, books, guidelines, and projects (OWASP Mobile) that can help developers improve their security programming skills. Moreover, knowing how to attack and exploit mobile applications will surely help you understand how to defend it. It is recommended to go over a security course in order to test the application security once it is complete.

The initial target of these malwares are the end-users. It is how end users utilize the mobile devices in the company they work for that triggers a more damaging effect. When there’s a security breach, companies can take a year or more for the business go back to regular operation. By that time, depending on the company, millions or billions may have already been lost.


francesco stillavatoFrancesco Stillavato is a Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance.

Twitter: https://twitter.com/litsnarf
LinkedIn: https://www.linkedin.com/in/stillavatofrancesco

Tags: ,

Leave a Reply

Your email address will not be published.

Go to top of page