ENTERPRISE ENTERPRISE MOBILE THREATS 04: A Year In Review that a single security breach on a mobile device can put an entire organization at risk. Specifically, organizations face three types of security risks with mobile devices: Accidental data leakage through apps or lost/stolen devices Malicious theft of data from devices via targeted and untargeted attacks Infiltration of protected corporate networks via compromised devices I. Introduction In 04, increased mobile threat sophistication emerged as the notable trend, while attackers continued to focus predominantly on applicationdelivered attacks. This past year, for example, Lookout observed new app-based threats, such as DeathRing, that indicate attackers have compromised certain mobile supply chains and pre-loaded malware on factory-shipped handsets. In addition, the NotCompatible threat family and a sophisticated new variant, NotCompatible.C, gained considerable traction in the U.S. and Western Europe in 04. NotCompatible.C contains proxy functionality that could allow attackers to successfully infiltrate secure corporate networks and it also employs layers of complex self-defense mechanisms to evade detection and countermeasures. Moreover, the cost of a security breach has never been higher: a 04 study estimates that the average data breach now costs companies $.5 million (USD), a 5% year over year increase. The question of whether organizations can trust an individual smartphone or tablet to connect to sensitive networks and systems weighs heavily on the minds of CISOs and CIOs who recognize This report provides an overview of the mobile threats enterprises faced in 04 and recommendations for security best practices amid today s threat landscape. Methodology To prepare this report, Lookout analyzed threats encountered by its global sensor network of more than 60 million Lookout-enabled mobile devices. The encounter rate measurement used in this report reflects the percentage of unique devices that encountered a threat during 04. Key Highlights Key mobile security takeaways from 04 include: Mobile threat sophistication has increased - In 0 Lookout discovered a mobile malware ring with agile release cycles and affiliate marketing programs, 4 demonstrating mobile attackers had increased their operational sophistication. In 04, Lookout saw the sophistication of the attacks grow, with the discovery of pre-loaded malware such as DeathRing that indicate attackers
have compromised certain supply chains. Also, NotCompatible.C, one of the most technically-sophisticated mobile threats, emerged in the top three most prevalent threats to enterprises in the U.S., U.K., and in 04. Mobile security threats grew and widely impacted organizations -These threats ranged from surveillanceware like MSpy that can monitor and steal device data, to trojans like NotCompatible that can compromise protected corporate networks. Lookout also found that mobile malware encounter rates in the U.S. increased 75% year over year (from a 4% to 7% threat encounter rate for mobile devices), due largely to the abundance of new ransomware campaigns like ScarePakage that reached millions of users. 5 Malicious mobile data exfiltration is a global problem - Malicious apps collect and transmit sensitive data to a wide variety of geographies. In the U.S., for instance, the second most common destination to which mobile threats exfiltrated device GPS data, is. In all, Lookout identified malicious exfiltrations of GPS and contact data in the U.S., U.K., and to more than 0 different countries around the world. II. Top Lookout-Discovered Threats in 04 UNITED STATES, UK & GERMANY NotCompatible.C TROJAN SOUTH KOREA ShrewdCKSpy SPYWARE MalApp.D TROJAN NotCompatible.C TROJAN Prevalent in US, UK, The latest version of the NotCompatible family of malware, NotCompatible.C, is a trojan that contains proxy functionality that could enable attackers to infiltrate secure enterprise networks, including corporate Wi-Fi and VPNs, via a compromised mobile device. With peer-to-peer encrypted communications and a two-tiered server architecture, NotCompatible.C ranks amongst the most technically-sophisticated mobile security threats ever detected. MalApp.D TROJAN Prevalent in South Korea MalApp.D is a trojan that poses as a VoIP app. The Lookout Security Platform detected this 0-day threat, which was live in Google s Play Store, before anyone else. MalApp.D exfiltrates device contact data to a malicious third party server and also has the potential to record sensitive conversations on compromised devices. ShrewdCKSpy SPYWARE Prevalent in South Korea ShrewdCKSpy is a Korean spyware family whose variants can surreptitiously record SMS messages and phone calls on compromised devices and exfiltrate them to malicious servers and email accounts. ShrewdCKSpy could also serve as a bugging tool for corporate espionage given its ability to auto-accept and record calls.
III. Top Regional Threats in 04 TOP MOBILE THREATS TO ENTERPRISES NotCompatible A proxy threat that could allow attackers to compromise secure corporate networks. 7% TowelRoot & TowelExploit Root Exploit Threats that contains code 6.4 million Android devices affected (estimate) 7 Malware Encounter Rate for Devices 6 BasicSystemSpy Surveillance A threat that secretly collects device information including SMS, contacts, GPS location, and browsing history, and can also record audio via a compromised device s microphone. United Kingdom TOP MOBILE THREATS TO ENTERPRISES TowelRoot Root exploit A threat that contains code % Malware Encounter Rate for Devices NotCompatible A proxy threat that could allow attackers to compromise secure corporate networks. 47,000 Android devices affected (estimate) 8 Framaroot Root Exploit A threat that contains code TOP MOBILE THREATS TO ENTERPRISES TowelRoot Root exploit A threat that contains code 847,000 Android devices affected (estimate) 9 % Malware Encounter Rate for Devices Framaroot NotCompatible Root exploit A threat that contains code A proxy threat that could allow attackers to compromise secure corporate networks.
IV. Snapshot: Measuring Corporate Mobile Risk Profiles Using a global sensor network of millions of Lookout-protected devices, Lookout can provide a snapshot of many organizations mobile risk profile by anonymously correlating threat detection data to devices that connect to known corporate IP space based on publicly-available Autonomous System (AS) data. In 04 Lookout provided mobile risk assessments to a wide variety of organizations and the results often came as a surprise to organizations that didn t believe they had risky BYOD activity or doubted the prevalence of mobile threats. Below is an abridged example of a mobile risk assessment Lookout conducted in 04 for a major U.S. federal agency. This assessment drew on a sample set of 488 mobile devices that made connections to this agency s corporate IP space. ABRIDGED 04 LOOKOUT MOBILE RISK ASSESSMENT Organization: A U.S. Federal Agency Sample Size: 488 Mobile Devices TOP THREATS DEVICE COUNT THREAT NAME THREAT CLASSIFICATION THREAT ENCOUNTER RATES 0 4 NotCompatible ScareMeNot Koler Chargeware.% Surveillance.% Root Enabler.4% Riskware.5% ColdBrother 6.4% DoubleDip AndroRat RuPaidMarket Adware 5.4% StatSpy SpyApp Surveillance KidLogger Surveillance 9% of the sampled mobile devices encountered a mobile threat. This single organizational snapshot reflects broader mobile threats trends, such as the global predominance of adware: with a 5.4% encounter rate, adware also comprised the most prevalent threat among the sampled devices. Adware is a class of threats that serves obtrusive ads and/or collects excessive device data that exceed standard advertising practices. While adware is highly prevalent, as a threat to organizations it s typically more of an end-user nuisance than a pressing security risk, except in cases where adware threats collect sensitive data from the device. This sample mobile risk assessment, however, documented a number of serious mobile threats that could compromise enterprise data and network security. For example, 6.4% of sampled devices encountered trojans and.4% encountered root enablers, which can escalate admin privileges on a mobile device and potentially undermine on-device security measures such as encrypted containers. In addition, 0 of the sampled devices in this assessment also encountered NotCompatible, a trojan whose proxy abilities could allow attackers to bypass firewalls by infiltrating approved connections from trusted mobile devices within the organization. 4
Tracking Threats To Corporate Networks If not remediated by a security solution, mobile threats can linger on infected devices for months and these devices can later carry existing infections, such as NotCompatible, into new corporate environments. The timeline below shows a sample of seven mobile devices that encountered NotCompatible and then connected to the corporate network of a major global financial institution in 04. As you can see below, the time between threat encounters and an established corporate network connection can vary substantially, and rarely occur within the same month. MOBILE THREAT ENCOUNTERS OVER TIME IN 04 Organization: Fortune 500 financial company Sample Size: 7 mobile devices January February March April May June July 4 5 6 7 = NotCompatible encounter = Connection made with corporate network 5
While the spectre of a single, targeted mobile attack might be foremost on the minds of CISOs and CIOs, this timeline demonstrates that they should focus also on remediating the persistent mobile risk their organizations face from devices that connect to their network and systems each and every day. Security professionals should also consider the latent threat scenario, in which attackers compromise a wide range of devices and then wait for them to enter enterprise environments before activating their attacks. In short, any one device could harbor a serious threat, which underscores the need for strong mobile threat protection across all devices that touch an organization. Measuring Malicious Data Exfiltration While these threats often exfiltrate data to servers found within the target country, many mobile threats collect and transmit sensitive data to a wide range of countries outside the target country, raising the possibility that these exfiltrations not only violate organizational security policy, but may also violate local data protection law and possibly put victimized organizations at legal risk where improper security measures were followed. surprising. It s important to realize, however, that these charts do not necessarily reflect the countries where mobile attacks originate, rather, they reflect top countries where attackers chose to host their command and control servers (to which they initially exfiltrated the data). Viewed in this way, we would actually expect to see these countries at the top of the list as the U.S., U.K.,,, and the Netherlands all rank among the top ten web-hosting companies in the world. Additionally, foreign attackers often host their attack servers in the target country for the sake of efficiency or to avoid IP blacklisting countermeasures. Attackers also frequently compromise legitimate servers hosted in the target country, so this data may also reflect an attacker preference for utilizing compromised servers in these countries. Finally, it s worth noting that these countries represent just the initial exfiltration destination of this data: foreign attackers may choose to host command and control servers in the U.S for a U.S.-targeted attack, but the data they exfiltrate to these servers will likely find its way back to the attackers in their home country. Lookout analyzed its mobile intelligence dataset to identify the top countries where mobile threats exfiltrated data in 04 (shown in the charts on the next page). Overall, Lookout found that malicious data exfiltration activity in the U.K., U.S. and resulted in the transmission of GPS and contact data from compromised devices to servers located in over 0 different countries. The U.S. notably emerged as the top exfiltration destination for both GPS and contact data in all three countries, and ranked second for GPS exfiltration in the U.S. and U.K. The leading position of the U.S. on these charts, as well as the prominent ranking of western european countries like the U.K., and Luxembourg might at first seem 6
TOP DATA DESTINATIONS FOR MOBILE THREATS IN THE U.S., U.K., AND GERMANY = Device = Malicious Server = Contact Exfiltration = GPS Exfiltration United Kingdom CONTACT GPS CONTACT GPS CONTACT GPS United Kingdom Switzerland Netherlands Luxembourg Luxembourg Ireland Luxembourg Luxembourg 4 Netherlands Netherlands Netherlands United Kingdom Thailand Norway 5 Sweden Sweden 7
Conclusion Overall, 04 revealed that mobile security threats are growing more complex, and that they have a persistent and widespread impact across organizations worldwide. Based on countless conversations we ve had with companies around the world, it would seem many organizations do not yet understand the extent of their mobile risk profile because they lack deep visibility into the security status of mobile devices connecting to their networks and databases. The question of whether to trust a mobile device connecting to a corporate network is a difficult one to answer today for organizations that lack this visibility. In a world where pre-loaded mobile malware exists, not even corporate-owned and provisioned devices should be exempt from security scrutiny. Moreover, with increasing BYOD activity in the workplace, the importance of having this security visibility only grows since BYO devices will typically touch a greater diversity of networks and download more software than their corporate counterparts. to an isolated network segment with strong controls limiting access to sensitive resources and analytics to detect potentially malicious behavior. Educate employees on mobile security best practices: Mobile security responsibility also resides with end users of mobile devices and employees that exercise common sense and avoiding risky behavior can help limit an organization s mobile risk profile. Advise employees to only download apps from trusted marketplaces and to avoid rooting/jailbreaking their devices. For these reasons, Lookout recommends that organizations take the following steps toward achieving a sound mobile security strategy: Implement mobile threat protection: Mobile devices typically operate outside the traditional perimeter and beyond the reach of network-based security solutions. An advanced mobile security platform allows organizations to monitor for and protect against suspicious activity on their mobile devices, block identified threats and assess the overall health of their mobile ecosystem. By detecting threats at the device level, organizations can block and prevent installation before an attacker can perform hostile activity. Segment networks for mobile devices: All mobile devices used in protected environments especially those able to connect to external, unmanaged networks should be limited 8
ENDNOTES DeathRing: Pre-loaded malware hits smartphones for the second time in 04. Lookout. December 04. https://blog.lookout.com/blog/04/ The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Lookout. November 04. https://blog.lookout.com/blog/04//9/notcompatible/ Ponemon Institute Releases 04 Cost of Data Breach: Global Analysis. Ponemon Institute. May 04. http://www.ponemon.org/blog/ponemon-institute-releases-04-cost-of-data-breach-global-analysis 4 Dragon Lady: An Investigation Into the Industry Behind the Majority of Russian-Made Malware. Lookout. August 0. https://www.lookout.com/resources/reports/dragon-lady 5 U.S. targeted by coercive mobile ransomware impersonating the FBI. Lookout. July 04. https://blog.lookout.com/blog/04/07/6/scarepakage/ 6 NB: Encounter rates represents the average user s likelihood of encountering a threat in a year. Encounter rates are weighted calculations that account for varying user lifecycles and cannot be added since a unique device may be counted multiple times in such calculations. 7 (Estimate: 76M smartphone x.5 Android market share x.07 encounter rate = 6.4 million devices). Source for third party data: http://www.comscore.com/insights/market-rankings/comscore-reports-october-04-us-smartphone-subscriber-market-share 8 (Estimate: 5M smartphone x.595 Android market share x.0 encounter rate = 47,000 devices). Source for third party data: Smartphone count: http://www.deloitte.co.uk/mobileuk/assets/pdf/deloitte_mobile_consumer_04.pdf Android UK market share: http://www.techweekeurope.co.uk/workspace/ android-market-share-europe-uk-5598 9 (Estimate: 4.7M smartphone x.84 Android market share x.0 encounter rate = ~ 847,000 devices). Source for third party data: Smartphone count: http://www.emarketer.com/article/smartphones-all-rage-/0094 Android market share: http://www.kantarworldpanel.com/dwl.php?sn=news downloads&id=584 0 The top 00 web hosting countries. Pingdom. March 0. http://royal.pingdom.com/0/0/4/web-hosting-countries-0/ 9