Originally, it was expected that mobile devices would evolve to become handheld computers with capabilities similar to any desktop. It is clear today that our smartphones and tablets have evolved beyond this point, creating new means of technological interaction not previously imagined.
Within the context of socio-technological revolution, the rise of virtual reality technology raises new security risks not only to digital information, but also to users’ physical wellbeing. While these applications collect and store increasingly sensitive data, mobile malware is constantly evolving and becoming more complex, reinforcing the importance of, and need for, secure mobile technology. Given the large number of potential victims, the official app markets are struggling to withstand new barrages of malicious code attempting to infiltrate their trenches.
Does this scenario reflect what awaits us in terms of mobile security trends? Throughout this article, we will discuss how these risks might develop in the near future.
Pushing the limits of perception
Prior to the emergence of Pokémon GO, augmented reality (AR) had never been experienced by so many people previously outside the gaming community, and this has placed the technology at the forefront of mobile trends. At the same time, it is increasingly common to see people using virtual reality devices, thanks to projects such as Google Cardboard, which helped to popularize the concept among the public by making it more accessible.
The success of Pokémon GO, in particular, has spurred greater interest in AR in general, making other, future AR applications attractive to cybercriminals seeking to inject them with malicious code, and then distribute their creations through malicious servers, hacked sites, unofficial stores and even official app markets.
These technologies pose new security risks, together with other mobile dangers that we mentioned in our Trends 2016 report, such as the spread of malware and increasing numbers of vulnerability issues. When the players, as physical entities, become variables in the game, not only must we worry about protecting data on their devices, but also about the safety and security of the players themselves.
Common sense—or the lack of it—will play a crucial role in physical security this year. We have witnessed cases of people trying to catch Pokémon while driving or on private property, or in highly unsafe areas, or being so absorbed in augmented reality that they forget to pay attention to approaching vehicles when crossing the street.
The confluence of strangers in the same location may also pose additional risks, in that we do not know to whom we may be advertising our presence and activities. This may have been one of the most controversial issues surrounding the emergence of Pokémon GO, as several people were injured in fights in Pokémon gyms or when trying to start battles with strangers.
Because these types of app can endanger the lives of their users, designing a security model that is inherent to the development process will be an essential factor in creating new applications. After all, if there is no consideration of the physical aspects of usability, what can we expect from more technical security flaws and perhaps other failures less visible to users and developers?
Vulnerable apps with unsafe APIs
If there’s one problem that has characterized the development of software to date, it is that mobile security considerations are almost invariably deferred until later stages of development, if addressed at all. Aside from a few applications for which compliance with security standards is mandated, few developers are concerned about running vulnerability assessments and code auditing from independent, external experts, before releasing their products to the public.
As mobile devices are promoted as the builders of human relationships that reach beyond the digital space, whether in the workplace, in recreational and sporting activities, or even with the intention of finding love, security becomes a critical factor in preventing unsafe designs from compromising the development process.
For example, researchers previously found that Tinder’s API gave the precise geolocation of the person each time a match occurred. Another notable example is the case of the Nissan Leaf, when it was discovered that some of the vehicle’s non-critical controls could be accessed through vulnerabilities in the API provided by the company for mobile development.
Advertising libraries will also play an important safety role this year. These libraries are widely used by developers on platforms where users are often unwilling to pay for the functionality offered by the app. We typically find at least one of them per application and they often contain unsafe APIs that could be exploited to install malware or steal information.
In addition to these unintentional errors in the development process, there are also malicious creations whose propagation is sometimes facilitated by the less restrictive policies of certain application repositories, allowing criminals to benefit from the perceived reliability of official app stores.
Android: An insecure system?
In 2007, the emergence of iOS revolutionized the mobile device industry by forcing consumers to rethink the role of technological devices in their daily lives. At that time, there was little discussion about the role of information security in mobile innovations and their possible impact on data protection.
Approximately one year after the release of iOS, a new operating system appeared as a plausible competitor: Android, created by Google. With open-source code, a less restrictive app market, the ability to adapt to different OEMs and very flexible customization, Android’s market share grew rapidly.
By the end of 2009, mobile users began to consolidate into opposing sides based on their preference for either system, betting on one or the other. That was when the first questions emerged about whether the features so appreciated in Android could play a negative role in terms of security. Today we may be seeing the results of that wager.
In the second quarter of 2016, Android was installed on 86.2% of mobile devices in use. The large number of people using this OS makes it the preferred target for attackers. Its migration to other devices such as tablets, televisions, wearables and cars, makes it a potential vector for multi-platform attacks in ever more complex scenarios as new internet-connected home automation systems are developed.
Many factors make multiplatform attacks possible. First, the interconnectivity between devices allows threats and scams to spread easily through social engineering. Then there are components that are common to all devices using the operating system, but which may not be updated promptly or at all by different OEMs.
Finally, development frameworks, which allow executables to be easily generated for different devices, are becoming increasingly common and could propagate security flaws between disparate devices. In the Internet of Things (IoT) it is not hard to imagine more such attacks in the future.
Malicious apps in official markets
A common occurrence in recent times has been the emergence of malicious apps in the official iOS and Android app repositories, a phenomenon that at first seemed extremely rare but that has unfortunately become more common over time. This trend has even affected the Apple App Store, which theoretically has more controls than the Google Play Store for Android.
As for publishing applications, numerous factors encourage the existence of malicious apps in Google’s app store. Not only is Android a favorite target for cybercriminals because it has the largest number of potential victims, but the speed at which apps are published on the Play Store also makes it a potential target for many attackers trying to propagate their threats.
With Android, any developer can create an account with a one-off payment of USD 25, upload an application, and have it published within 24 hours. In contrast, the cost of iOS development membership is more than USD 99 per year and the app approval-waiting period can last weeks.
So while improvements to Bouncer (Google’s module for automatic analysis and malware detection) are made on a regular basis, and manual code analysis is being strengthened, the huge number of new apps that are created daily and the haste with which they are incorporated into the market makes accurate analysis of each one difficult.
It is possible that in order to reduce future cases of malware introduced into its official app store, Google will need to modify one of these variables – or both – to devote more resources to intensive analysis of a reduced number of applications and/or extend the time needed for the approval process, undermining the speed of publication. One of the several strategies Google might use to reduce the number of candidate applications could be raising the price for developers’ accounts.
“SO LONG AS THE POLICY FRAMEWORK FOR PUBLICATION IN THE PLAY STORE REMAINS UNCHANGED, WE CAN EXPECT TO SEE A GREATER AMOUNT OF MALWARE IN OFFICIAL STORES IN 2017.”
What is certain is that so long as the policy framework for publication in the Play Store remains unchanged and none of these corrective measures are taken, we can expect to see a greater amount of malware in official stores in 2017 as attackers double down on this new modus operandi and find new mechanisms to evade detection.
With regard to this last point, it should be noted that there are many techniques that render mobile malware detection difficult: time bombs, dynamic code executed through reflection, packers, encryption, obfuscated strings, scripts in other programming languages for remote downloading of malicious code, new forms of C&C, anti-emulation, rootkits, etc.
But above all, cybercriminals are betting and will continue to bet on social engineering, waiting attentively for the official launch of popular apps to distribute their own fake versions, as happened recently with Pokémon GO, Prisma and Dubsmash.
The speed with which these malicious applications rack up hundreds and even thousands of downloads is a cause for concern among users of the platform. What will happen when cybercriminals decide to greatly increase the complexity of their creations?
Users’ different approaches with respect to the installation of applications also plays a counterproductive role when it comes to Android. The ease with which someone can modify an APK obtained from the official store in order to inject malicious code and distribute it through websites or fake app stores, added to the ease with which users install files from untrustworthy sources, results in a higher rate of malware detection (and in the worst case, infestation) compared to other mobile operating systems.
Over the years, various research reports have argued that Android’s open-source nature inevitably implies a greater number of unprotected vulnerabilities and, consequently, an increase in the frequency of attacks. This theory has not yet been completely substantiated, since 2016 is the first year in which Android is on track to finish with a greater number of published vulnerabilities than iOS.
However, the way security patches are deployed continues to leave some Android users unprotected, creating a large window between the time at which the vulnerability is known and the time when OEMs and telephone network operators deploy the security patch for the different versions of the operating system, if they even choose to do so.
Google’s proposed plan for updates for Android 7.0 Nougat on Nexus devices includes monthly security patches in addition to quarterly updates with new functionality and bug fixes. Little progress was made last year towards reaching a consensus on the rapid release of patches. On the contrary, power struggles for dominance in the mobile device market resulted in sluggish conflict resolution.
For its part, Samsung, the leading manufacturer of Android devices, refuses to cede control of its devices’ OS to Google. Meanwhile, Google is turning to more compliant manufacturers to displace Samsung and reduce its market share.
There are some indications that Google has come up with a new plan to address this issue. Up until then, one of the options available for those Android mobile users who are concerned about having the latest security patches will be to acquire Nexus devices – renamed Pixel by Google – so as to be sure to get updates as soon as possible from the mothership itself.
Mobile platforms under attack
Since 2012, the number of threat detections in the mobile world continues to grow, and we anticipate that this trend will continue throughout the remainder of 2017. This is a statistical reflection of the utmost importance cybercriminals assign to these devices, as the data they store becomes increasingly sensitive.
Beyond the issues raised throughout the previous section, it is important to note that Apple users should not fall prey to a false sense of security. According to data obtained from our products, iOS threat detections still represent less than 1% compared to the number of Android threat detections. However, iOS threat detections are increasing exponentially: the number of detections on iOS in 2016 was greater than that for all of 2015. We can expect that this year, the same pattern will continue.
In addition, severe vulnerabilities continue to exist. Not long ago, Apple released security patches for a set of zero-day vulnerabilities that gave cybercriminals complete control over iOS devices and were used to spy on individuals.
“THE GROWTH OF MOBILE MALWARE IS AN UNDENIABLE REALITY, ONE THAT WE HAVE BEEN PREDICTING SINCE 2013.”
The growth of mobile malware is an undeniable reality, one that we have been predicting since 2013 and which is gaining strength as we speak. During 2015, new variants of malicious code created for Android averaged 200 a month; during 2016, this number rose to 300 new monthly variants (in iOS the number is two per month). We would not be surprised to see this increase continue this year, averaging 400 new mobile malware variants per month for Android by the end of 2017.
This provides us with a measure not only of the amount of malicious code but also of the speed with which these malicious campaigns evolve. In the coming year we will see more ransomware, more fake apps, more gimmicky malicious code and many more mobile scams through WhatsApp and social networking applications.
As users come to understand the dangers of installing applications from untrusted sources, cybercriminals are likely to be planning new social engineering campaigns through official markets. If so, we should expect to see many more such cases in the coming months. What remains to be seen is what course of action Google and Apple will take to contain the threat.
Together with the increase in the number of new variants of malicious code, a major concern for users of mobile devices will be vulnerabilities not only in the operating system but also in the applications they use. As these apps collect and store data that can be misused to endanger the physical health and safety of their users, it will be a challenge for developers to quickly adopt secure development procedures so as to minimize the risk of exposure, such as that found in poorly designed APIs.
For now, the recent releases of iOS 10 and Android 7.0 Nougat show some remarkable improvements in mobile security, especially in the latter. Google’s efforts to unify some aspects of security are becoming more obvious in the various models of phones and tablets now becoming available on the market. In addition, the company continues to have high hopes for its aggressive program of bug hunting as a means of discovering vulnerabilities.
Another remarkable feature of Android 7.0 Nougat is that it has introduced various improvements in handling permissions and applications which will hinder the installation of malware on the device and limit the control such applications obtain, in a clear attempt to thwart the increase of mobile ransomware, one of the main challenges in mobile security.
This article is an adapted version of the corresponding section from ESET’s 2017 trends paper, Security Held Ransom.
by Denise Giusto Bilic, ESET We Live Security