Attacks on Smartphones Increasing

By:  |  Category: Blog, Security Thursday, March 8th, 2018  |  No Comments

In a contest to see “who knows you best” between your mother and your smartphone, I’m betting your smartphone will win.

Let’s be honest, your smartphone knows you deeply. It records every person you talk to and what you’ve said to them. It holds your family photos, your pet’s pictures, your passwords and more. Even good old mom doesn’t know those ALL YOUR secrets.

Unfortunately, a smartphone to attackers equals a digital passport to access everything they would need to know about a person to exploit them. This is why attacks on smartphones are increasing at an alarming rate, security researchers note.

At the Kaspersky Security Analyst Summit in Mexico, Andrew Blaich, a researcher from mobile security company Lookout, and Eva Galperin, the cybersecurity director from the Electronic Frontier Foundation, presented their findings about Dark Caracal, a global malware campaign targeting mobile devices that’s infected thousands of people in more than 20 countries.

The attack campaign, tracked to a building in Beirut belonging to the Lebanese General Security Directorate, used nearly identical versions of real apps and tricked thousands of people to install it. Once it was on their phones, the attackers had access to everything.

The attack was massive, but it’s the tip of the iceberg of what’s to come, researchers suggest. In the past, PCs were always known as the most prone devices to hacks. But, no more. Attacks on mobile devices are getting easier, they yield a bigger reward and people are using smartphones much more than they use their computers. It’s a no-brainer for a hacker.

“Getting a look into someone’s personal device is tremendously personal, it’s like getting a look into their mind,” Galperin said.

Easy Access
The Dark Caracal attack focused on personal information and it used simple social engineering to carry out its spread. The malware, which allowed attackers to take photos, find your location and record audio, spread by disguising itself as messaging apps like Signal and WhatsApp.

It wasn’t an exploit that allowed Dark Caracal to do all those things — it was the victim. The Trojan app would ask for permissions like any other app would, and to the unsuspecting eye, they wouldn’t see anything wrong with the request.

It’s normal for apps like Instagram and Facebook to ask for permission to take photos, use your location and record audio. If a person was downloading malware that he or she believed was a real version of an app, these permissions wouldn’t set off any alarms.

While Google and Apple’s security patches can block the latest vulnerabilities, they can’t stop you from getting duped. Malware hitting mobile devices isn’t exploiting a code’s vulnerabilities, it’s exploiting a person’s vulnerabilities.

“Instead of spending effort and time in researching exploit codes, they just take advantage of an overly permissive app,” Blaich said. “The barrier to entry for surveillance ware can be lowered if you’re not trying to use vulnerabilities.”

While Google and Apple’s app stores are fairly protective against malware popping up in its marketplace, it’s a different story for third-party stores. That’s how Dark Caracal was able to spread, Blaich said.

The fake apps advertised themselves on a website called “Secure Android,” telling people its version of WhatsApp and Signal were more secure than the original apps. Attackers advertised the page in groups for activists and journalists, because it was trying to spy on them.

While the best advice to prevent mobile malware is to never side-load an app, certain apps may not be available outside of the US. The Google Play store, for example, doesn’t work in China, where there were 386 million active Android users in 2014.

Keep Your Phone Updated
Apple and Google have done extensive work to make their mobile operating systems more secure. Apple’s Secure Enclave and encryption has protected data so well that the FBI was willing to pay $900,000 to unlock the San Bernardino terrorist’s phone.

Google has improved its app security and patching system with Project Treble and Play Protect. But given how infrequently some of these updates actually get to the phone, it isn’t enough. On Feb. 28, the Federal Trade Commission released a report that mobile devices haven’t been getting the security updates they need efficiently enough. The commission received information from Apple, Google, Microsoft, Samsung, Motorola, LG, HTC and BlackBerry on their security patching process, and the results weren’t great.

“Some devices didn’t get any updates at all. The support ranges from absolutely nothing to three or more years of support,” said Elisa Jillson, staff attorney for FTC’s privacy and identity protection.

The problem is that security updates are often bundled with broader software updates, meaning that some devices never get patched, while others may have to wait months for it. The FTC recommended separating them, with more frequent patches for devices. Google’s Project Treble already does this.

Before Treble, security updates for Google only came to devices using recent versions of Android. Up to 42 percent of Android users don’t have the latest version, and with 2 billion active Android users around the world, that’s 846 million devices exposed to potential malware.

“The majority of victims do not get compromised by zero-days,” Galperin said. “They get compromised by vulnerabilities that have already been disclosed they have not yet patched.”

As security experts continue to see the rise in mobile attacks, it’ll soon surpass the amount of attacks focused on your computers, Blaich said.

During the Dark Carcal campaign, Lookout and the EFF noticed there was a separate attack targeting Windows computers. It dwarfed in comparison to how many mobile devices were infected.

“This is a known problem, that updates aren’t getting to devices, so there’s an open window to any would-be hacker,” Jillson said.

If you need assistance with your business cybersecurity services give EnhancedTECH a call at 714-970-9330 or contact us at [email protected]

Sources: CNET

Image Source: https://pixabay.com/photos/telephone-mobile-call-samsung-586266/

Leave a Comment
Read previous post:
New Cyber Threat Report

"Make no mistake, we are in a global cyber arms race. But it can’t be won alone: we are in...