If there were any doubts that mobile phones are a rat’s nest of security vulnerabilities, a scary new report from researchers at Georgia Tech and Ohio State University presented at the 28th USENIX Security Symposium in Santa Clara last week should lay that notion firmly to rest. Titled The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends, the abstract opens with this disturbing finding of mobile security:

Cloud backends provide essential features to the mobile app ecosystem, such as content delivery, ad networks, analytics, and more. Unfortunately, app developers often disregard or have no control over prudent security practices when choosing or managing these services. Our preliminary study of the top 5,000 Google Play Store free apps identified 983 instances of N-day and 655 instances of 0-day vulnerabilities spanning across the software layers (OS, software services, communication, and web apps) of cloud backends. The mobile apps using these cloud backends represent between 1M and 500M installs each and can potentially affect hundreds of thousands of users. Further, due to the widespread use of third-party SDKs, app developers are often unaware of the backends affecting their apps and where to report vulnerabilities.

One of the researchers, Brendan Saltaformaggio, an assistant professor in Georgia Tech’s School of Electrical and Computer Engineering, said:

A lot of people might be surprised to learn that their phone apps are communicating with not just one, but likely tens or even hundreds of servers in the cloud. Users don’t know they are communicating with these servers because only the apps interact with them and they do so in the background. Until now, that has been a blind spot where nobody was looking for vulnerabilities.

By taking control of these machines in the cloud, attackers could gain access to personal data, delete or alter information or even redirect financial transactions to deposit funds in their own accounts.

With funding from the Air Force Research Lab and the National Science Foundation, the researchers built a tool, dubbed SkyWalker, available soon here, that developers can use to check their apps for such vulnerabilities.

The researchers are still investigating whether attackers could get into individual mobile devices connected to vulnerable servers, Saltaformaggio said:

These vulnerabilities affect the servers that are in the cloud, and once an attacker gets on the server, there are many ways they can attack. It’s a whole new question whether or not they can jump from the server to a user’s device, but our preliminary research on that is very concerning.

The mobile threat landscape

The research confirms another new report from CrowdStrike, the Sunnyvale, Calif.-based cybersecurity company best-known for its part in unmasking the Russian hack of the Democratic National Committee in 2016 and its recent highly successful IPO in June, called the Mobile Threat Landscape Report: A Comprehensive Review of 2019 Mobile Malware Trends. The report details how the worldwide adoption of mobile devices in enterprise environments has created major new attack opportunities for hackers of both the cyber-criminal and nation-state variety.

In some places, such as Latin America, mobile devices have surpassed desktop computing as a source for both business and personal use, including email access, as well as banking and authentication, making mobile security an even more urgent issue.

CrowdStrike’s report offers an overview of the key types of malware observed so far in 2019 and the deployment mechanisms adversaries typically use. It also identifies the adversary groups and unaffiliated criminal actors that target mobile devices and how their tactics — and the mobile threat landscape in general — are evolving.

Much like malware families developed for traditional desktop computing platforms, mobile malware can take a variety of forms, depending on the capabilities and motivations of the developer and those deploying the malware. While some state-aligned actors may want to establish long-term persistence on a device to gather intelligence on a target over a period of time, criminal groups are more likely to focus on malware to intercept banking credentials in order to provide a quick route to money.

Some key findings from this report include:

A range of criminal and targeted adversary groups are increasing their attacks on mobile platforms.

Banking continues to be a prime target, supported by an underground of developers operating mobile “malware-as-a-service” subscription models.

Targeted adversary groups continue to develop mobile malware variants, and these development capabilities are proliferating to less-skilled groups.

Mobile malware designed for the Android operating system is the most prevalent – driven by the ease of installing new applications from third-party sources.

Mobile security maturity levels lag behind that of traditional platforms, leading to protracted attacker dwell times on compromised mobile devices.

Shawn Henry, President of CrowdStrike Services and a former FBI Executive Assistant Director,said:

In recent years, customers have realized that the singular point product approach is ineffective in stopping major breaches. You need much more than just a firewall and traditional antivirus to stop the stealthy adversary. All companies that have been breached in recent years have had some sort of firewall and AV. A modern, comprehensive platform solution is necessary to effectively combat cyber threats. Cybersecurity is all about speed.” While there is no one silver bullet that truly stops all cyberattacks, we believe strong prevention technology, bolstered by the ability to detect and respond to threats in minutes in cases when the adversary finds a way in, while also monitoring proactively 24/7, is the foundation of modern-day cyber defence. You can only accomplish this by leveraging cloud-native endpoint protection and capacity-building features such as AI, behavioral analytics, and threat hunting.

My take

The news that mobile devices present yet another threat to enterprises that is more serious than previously thought is not likely to cheer up professionals on the frontlines of keeping an organization safe. But, then, it’s a certain form of job security.

The fact that CrowdStrike’s first recommendation is to only download apps from “trusted” sources is probably a good one but you have to wonder if you can’t trust Google Play Store (the place where the academics found all those infectious apps) who can you trust?