Hidden Mobile App Vulnerabilities
Mobile security threats are on the rise by cyber actors. These actors are aware of security flaws in the mobile app realm. As a result, hackers crack devices through various methods. If the attack is successful, it gives attackers access to confidential information. These types of attacks use WiFi networks, hardware, operating systems, and applications. In addition,18% of applications do not restrict the number of authentication attempts for signing in.
Furthermore, the attacker can use any data attained for malicious plans. If that happens things will escalate quickly for the victim. Typically, by the time an attack has been identified it is already too late to protect yourself. At this point the cyber actor has already gained access to your account numbers, passwords, social security numbers, media, contacts, and other valuable data.
Data Leaks
Above all, mobile users should learn how to use their phone’s security features to secure their data. As a matter of fact, certain companies offer security features such as Secure Folder (Samsung) and Knox (iOS), which integrates key chain applications. In reality, developers should follow a few rules to help prevent data leaks. On the negative side, these vulnerabilities range from exposing a user’s data to having bugs that can grant admin access to hackers.
Privacy
Prior to installing an application, be mindful of the terms of service for that application. Specifically, the terms of service provides a description that discloses the conditions between a person and a service. In effect, it is important to ensure that only trusted apps have permissions enabled. Data can be collected from voice, message, camera, location, or other applications themselves. The following section is aimed at helping developers understand mobile security threats.
Mobile Vulnerabilities Aimed at Users
Hacker Motives
The most common motive for attacking mobile devices is to obtain monetary funds from users. The following are examples of hacking crimes and their purpose.
- Hidden mining: The mining of cryptocurrency on a device without the user’s approval by infecting the device with malware.
- Cyber extortion: Commonly involves threatening a user of harm unless the user grants the attacker’s monetary request.
- Data theft for resale: User data is acquired and then distributed to a third-party for profit.
- Industrial espionage: When hackers target a corporation with the intent to steal trade secrets, spy, or attain worker identity information.
Types of Mobile Threats
To summarize, the scope of threats that reach mobile users can be classified into different categories such as application based, web based, network, and physical. Specifically, an application-based threat is a malicious application disguised as a legitimate app. In fact, this has recently occurred with mock app replicas of popular applications such as Spotify, FaceApp, and Call of Duty which have been presented to users as official in their appearance.
From time to time, web attacks are done to the user via browser exploits, drive-by downloads and phishing scams. With network attacks, the number of network interfaces a phone has is exploited. At any rate, this can be done by spoofing an access point or gaining access via Bluetooth. Lastly, physical attacks are also important to note. When a phone is lost or stolen, the lost hardware isn’t the only issue to worry about, the data on it might be accessible, so it is of best interest to have proper rules on how to handle a lost or stolen phone.
Types of Mobile App Data that can be Attacked
The following are examples of mobile data that attackers can monitor and intercept:
- Messaging (SMS and email)
- Audio (Calls and open microphone recording)
- Video (Still and full-motion)
- Location
- Contact list
- Call history
- Browsing history
- Input
- Data files
Malicious Software
- Virus / Trojan : These are malware which can do a number of different things depending on its intentions, usually inserted into an attractive application that the user installs.
- Spyware: Privately collects information about a user to then distribute the data to a third party.
- Worm SMS : These are worms which can be transmitted via SMS or MMS and are similar to spyware, they do not require user interaction.
- Browser Exploits: Take full advantage of your browser and applications that work within the browser like pdf readers.
Attacks
Undoubtedly, as demand for online shopping, banking, and gaming rises amidst the COVID-19 pandemic, the need to stay secure is growing. At this instant, cyber actors are not taking any breaks, as they continue to deploy attacks in hopes of capturing private data. Above all, vigilance is key to detecting the attacks in their tracks. Another attack that has been on the rise recently is web skimming. Particularly, an increase of 26% of blocked attacks occurred from February to March of this year in comparison to the beginning of the year. Before, it only showed a 2.5% increase in web skimming blocks (MalwareBytes).
According to a survey of mobile users, “43% of the respondents use their mobile phones for online shopping” (Daily Wireless, 2020).
Mobile threats tend to fall into multiple categories. Sometimes a browser popup will lead to an application download and the user falls victim to this without assuming the application might be malicious. Android does let the user know that turning on unknown sources is at your own risk; however, one cannot assume all users will safely follow rules.
OWASP Top 10 Mobile App Threats
These are the OWASP Mobile Top 10 app threats listed below:
- Activity monitoring and data retrieval
- Unauthorized dialing, SMS, and payments
- Unauthorized network connectivity (exfiltration or command & control)
- UI Impersonation
- System modification (rootkit, APN proxy config)
- Logic or Time bomb
- Sensitive data leakage (inadvertent or side channel)
- Unsafe sensitive data storage
- Unsafe sensitive data transmission
- Hardcoded password/keys
Tips to Identify Illegitimate Mobile Apps
Preventive Measures and Spotting Malware
- Backup and encrypt data
- Use an antivirus to scan installed and new apps periodically
- Don’t open file types that are unusual
- Check app ratings in the store
- Scan attachments before opening
- Avoid installing applications from unknown sources
- Validate app permissions for trusted sources only
- Don’t download apps from third-party sources
Nevertheless, if you have not been following the above tips, here are some additional tips to detect possible illegitimate applications that might be installed already.
Fighting Mobile Vulnerabilities
- Verify mobile applications with the google play store or app store.
- Review any unusual data usage per application.
- Show hidden apps and uninstall them steps for Android and iPhone.
- Factory reset the device. [This should be the last possible option]
Without a doubt, once this information is accessed it is probably extracted or exported immediately without the victim’s knowledge. Moreover, since there is virtually no evidence many cyber criminals get away with these types of attacks. For example, it is not as easy at reviewing a video recording from the scene of the crime or dusting for prints. Solving a cyber crime requires vast expertise and even then it can be difficult to trace. Generally, no footprints are really left behind, so it is best to avoid falling into a trap.
Good Practices
Overall, the security vulnerabilities we face can seem impossible to avoid; however, there are plenty of solutions for securing our information from cyber attacks.
Think about the number of times we are asked to log into a device on any given day and how many times do we use the same password, across multiple accounts? This could lead to mobile security threats that span across all your devices, platforms, and services. For this reason, one compromised credential puts the rest at risk of being cracked. To avoid this scenario, it’s recommended that 2FA is used when available and that you use a password with a mixture of letters, numbers, and special characters that is at least 8 characters in length.
Furthermore, ensure you are keeping your work separate from your personal activities on your mobile device. This should protect both you and the organization you work for if either falls victim to a cyber attack. Equally important is regular software updates to keep your applications current with the latest available security implementations. For this reason, maintaining a security standard for consumer use is an ongoing responsibility that should be integrated into daily practice. The Open Web Application Security Project or OWASP has developed a Mobile Application Security Verification Standard (MASVS) to establish security guidelines in the field of mobile app security. If interested in MASVS you can access the Gitbook to learn more.
Security Practices
Conclusion: Mobile Security Threats
To conclude, it is critical that these safety protocols are followed by both developers and customers to address any mobile security threats. So far through the COVID-19 pandemic, the volume of cyber attacks has skyrocketed more than ever. In order to keep safe from scammers and cyber attackers, make sure to verify the legitimacy of not only apps, but also web pages and any calls you receive. By all means research dubious sources that are unfamiliar and keep your guard up to ensure you are as secure as possible. As a developer, the MASVS should be a starting point for managing anticipated vulnerabilities in mobile applications.
Services
Praetorian Secure offers Application Security and Security Testing services to help secure your applications. Our security experts are equipped with knowledge to shield you from mobile security threats. Related Cyber security services Praetorian Secure offers:
- SAST
- DAST
- SaaS
- RASP
- Fuzz Testing
- Penetration Testing
- Static and dynamic testing
To learn more about our team or the services we offer feel free to contact us online or by phone at +1 (855) 519-7328.
Disclaimer: Although our advice may be useful, this information is not intended to be full-proof from hackers. Be mindful of the data you receive from any of the links provided throughout our blog. As a result, we are not responsible for the accuracy of their content. You should always consult with a security analyst if you have any doubts.
Williams, Jake, et al. “[SANS Webcast] Hitting the Silent Alarm on Banking Trojans.” VMRay, 18 Mar. 2020, www.vmray.com/cyber-security-blog/resource/sans-webcast-recording-banking-trojans/
Segura, Jérôme. “Online Credit Card Skimming Increased by 26 Percent in March.” Malwarebytes Labs, 9 Apr. 2020, blog.malwarebytes.com/cybercrime/2020/04/online-credit-card-skimming-increases-by-26-in-march/
“Hackers Using Hidden Mobile Apps and Unique Distribution Methods to Target Consumers.” Help Net Security, 6 Mar. 2020, www.helpnetsecurity.com/2020/03/06/hackers-target-consumers/
Mueller, Bernhard. “OWASP Mobile Security Testing Guide.” OWASP, 2020, owasp.org/www-project-mobile-security-testing-guide/
Miller, Maggie. “FBI Warns Hackers Are Targeting Mobile Banking Apps.” TheHill, The Hill, 10 June 2020, thehill.com/policy/cybersecurity/502148-fbi-warns-hackers-are-targeting-mobile-banking-apps
Lake, Josh. “What Is TLS Encryption and How Does It Work?” Comparitech, 25 Feb. 2019, www.comparitech.com/blog/information-security/tls-encryption/
Stephenson, Brad. “Easy Ways to Find Hidden Apps on Android Phones.” Lifewire, Lifewire, 26 Mar. 2020, www.lifewire.com/find-hidden-apps-on-android-phones-4178932
Pensworth, Luke. “2020 Internet Statistics Trends & Data.” Daily Wireless, 7 Mar. 2020, dailywireless.org/internet/usage-statistics/