Until relatively recently, mobile malware wasn't that different from early PC malware - It was annoying, it probably invaded your privacy, and it took a toll on system resources but it wasn't especially dangerous or costly in the way that modern weaponized malware used to attack PCs, servers, and point-of-sale systems was. And just as early malware primarily targeted a single OS (Windows), mobile malware remains almost exclusively a problem for Android. However, it appears that Stagefright has served as something of a wakeup call for the industry - Android devices are more vulnerable than they should be and the mobile threat landscape just got a lot more worrisome.
Stagefright, of course, was front and center at Black Hat last week and Google, device OEMs, carriers, and messaging apps have been unusually quick to begin rolling out security fixes to address the vulnerability. Stagefright, though, is actually an Android library that is deeply integrated into the OS. Any unpatched device running Android Version 2.2 or above is potentially vulnerable to exploits that require no user intervention to run. Users simply need to receive a crafted multimedia message which can enable transparent remote code execution.
Stagefright, however, is hardly the only red flag we're seeing around mobile malware in general and Android specifically. This week, Fortinet senior mobile AV analyst, Axelle Apvrille, wrote about Android/Locker, a recent bit of Android ransomware that can also act as a remote backdoor to your device. FortiGuard Labs researcher, Ruchna Nigam, published a timeline of mobile botnets at the end of 2014 that showed increasing sophistication, growing capabilities, and almost exclusive targeting by 2012 of Android operating systems.
IBM researchers presented this week on a newly discovered vulnerability in Android that would allow seemingly innocuous apps to elevate their privileges and take over a device. The device could then be used for any number of purposes including launching attacks on networks and exfiltrating data.
Obviously, we're no longer operating in the realm of annoying adware. The 2015 Verizon Data Breach Investigations Report noted that mobile malware was not yet a significant problem in the context of data breaches:
We are not saying that we can ignore mobile devices—far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they’re using now.
When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.
Well, folks, the landscape has started to shift. Mobile devices are ubiquitous on corporate networks and, by their very nature, come and go between highly vulnerable and relatively safe environments. More importantly, though, because most mobile devices are at the mercy of carriers and vendors for their updates, administrators and users often aren't able to provide security patches in a timely manner. As Stagefright in particular has highlighted, fragmentation in the Android market is especially concerning. Google has committed to updating their flagship Nexus devices on a monthly basis now, but these represent only a small fraction of Android devices on the market. Samsung and LG are also prioritizing security updates but the process for packaging updates to their Android devices and then distributing the updates through the major carriers has always been long and complicated. Unpatched security holes are the norm, unfortunately, rather than the exception and the heterogeneity of user devices further complicates management in BYOD and corporate deployments.
Android has become a viable vector for a variety of attacks against both end users and organizational targets. But if neither users nor administrators can count on timely security updates in the way they can with desktop operating systems, what's the solution? Only use Nexus devices? Stick with iOS? Abandon BYOD? None of these are especially attractive options, but organizations need to give much more careful thought to mobile security as the threat landscape continues to evolve.
At the same time, layers of security remain the name of the game. This doesn't just mean the use of endpoint security or firewalls (although those are critical components). Setting policy about the types of allowed devices, for example, can increase security without being overly restrictive. For example, versions of Android above 4.0 have some internal mitigation measures that help protect against the Stagefright vulnerability even if the device hasn't been specifically patched to prevent related exploits. It is completely reasonable for employers to require devices running Android 4.0 and above as part of their BYOD policies. The use of robust security appliances can also prevent data exfiltration and communication between mobile malware and C&C servers even if individual devices are vulnerable to attack.
This is just the tip of the iceberg for mobile malware. Point-of-sale systems, servers, and applications are routinely compromised and it's time that we add Android devices to our growing attack surface that we protect with the rigor and vigilance of systems that don't fit in our pockets.