According to the Telecom Regulatory Authority of India (Trai), India is now home to 1.6 billion mobile phone users. For the average Indian, mobile is the only point of entry to the internet. Add to that the 2016 Indian banknote demonetisation, which saw progressive changes in payment behaviour such as increasing adoption of mobile wallets and e-payments in a heavily cash-based economy. With mobile devices having surpassed desktop computing as a source for both business and personal use, including email access, banking and authentication, mobile security becomes an even more pressing issue.
CrowdStrike’s Mobile Threat Landscape Report for 2019 provides insights into the key types of malware observed so far in 2019. Adversaries’ typical deployment mechanisms demonstrate that attackers are utilising experience they have developed over years compromising ‘traditional’ computers, and now are applying it to mobile platforms. While desktop computing has benefited from years of development in commercial and open-source malware research and detection, the current state of defensive technology in the mobile space is less mature. This has led to longer potential attacker dwell times on compromised mobile devices with greater access to sensitive data.
A broad range of criminal and targeted
adversary groups were also found to have increasingly adopted the targeting of mobile platforms, with evolving tactics. In July 2018 there was a highly targeted attack against a small number of targets in India. In this case, select iPhone devices were targeted and enrolled to use as an attacker-controlled Mobile Device Management (MDM) server, which was then used to push malware-infected versions of legitimate apps, such as WhatsApp and Telegram.
Mobile malware designed for the Android operating system is the most prevalent – driven by the ease of installing new applications from third-party sources and in India, Android holds a share of about 91 percent of the mobile operating system market.
According to the Reserve Bank of India’s 2017-18 Annual Report,
mobile banking volume grew 92 percent in volume of transactions and 13 percent in value of transactions from March 2017 to March 2018 while the number of mobile banking users grew 54 percent during the same time frame and little change in the number of ATMs deployed. In India, 92.6 percent of total retail payments volume is electronic, up from 88.9 percent in the previous year, much higher figures than in the US.
This has set the stage for greater adoption of mobile payments and banking. With the enormous potential of digital comes enormous risks, as banks share not only their own but also their customers’ data with a diverse range of external parties, elevating the risk of financial crime and cyber-attacks.
More than the implementation of cyber law and regulations, it is also the worrying lack of awareness about cyber laws and regulations at both corporate levels as well as individual levels that needs to be countered from the point of view of the increased number of malware attacks. Individual mobile users, particularly mobile banking users, can protect and be protected from the cyber-attacks only if there is a guided and supervised legal framework. It is quite evident from the Mobile Threat Report that cybercriminals have sharpened their skillsets and creativity for mobile attacks, determined to evade detection while keeping their malware persistent and effective. Threat actors are stepping up their efforts and, as a result, mobile attacks are likely to increase in future.
Mobile malware comes in a variety of forms Much like malware families developed for traditional desktop computing platforms, mobile malware can take a variety of forms, depending on the capabilities and motivations of the developer and those deploying the malware. While some state-aligned actors may seek to establish long-term persistence on a device to gather intelligence on a target over a period of time, criminally minded groups are more likely to focus on malware to intercept banking credentials in order to provide a quick route to financial gain. Meanwhile, less sophisticated criminal actors may seek to repurpose existing revenue-generation models, such as ransomware and cryptomining, although often with limited results.
Motivations of various threat actors differ -- from financial gain to intelligence gathering or disruption, their tools and objectives depend on the class of threat actor involved.
How to strengthen your mobile security Increasingly more than ever before, organisations need to now contend with not only the ubiquitous use of mobile devices in their environments but the fact that they may hold significant amounts of corporate data, as a result of the proliferation of the BYOD culture in India, primarily driven by a vibrant startup culture. On the other end of the spectrum, mobile threats will continue to proliferate as both nation-state and eCrime groups innovate and refine their mobile attacks in their efforts to evade these organisations’ security defences.
Some key recommendations that will help organisations better secure mobile devices in a corporate environment include:
Only download applications from trusted sources, such as official app stores: The majority of mobile malware is distributed from third-party sources that don’t perform comprehensive checks of the applications they provide. Be on the lookout for phishing messages: Users should be wary of messages being delivered by SMS or email that prompt them to install applications from untrusted sources, because this mechanism is often used by attackers to trick their targets into installing mobile malware. Regularly apply security patches to mobile operating systems and installed applications: Flaws in operating system software can be exploited by malicious actors to install mobile malware and escalate operating privileges to obtain greater access to data and capabilities on the device. Establish security around solid mobile device management processes: Corporate management of mobile devices can provide protection against mobile malware by restricting which applications can be installed, and allowing for the automatic deployment of security patches. However, this capability can also provide opportunities to an attacker, who may be able to leverage their own MDM servers to deploy malware. Maintain physical security of physical devices: Enabling strong passwords, or biometric authentication measures such as fingerprint or facial identification, in addition to ensuring that mobile devices are not left unattended, can reduce the risk that a malicious actor may be able to install malware manually during so-called ‘evil maid’ attacks.
Michael Sentonas is Vice President, Technology Strategy, at CrowdStrike.