Mobile Devices Rise as Hackers’ Wonderland: Nine Reasons Why

By Chris Preimesberger

These apps automatically log in to users’ Google accounts, both personal and corporate, such as email, docs and Google +. Then they can access documents stored in Google Docs, and potentially send them off the device, exposing companies and users to data loss and theft, or opening the door to further network penetration. This is a huge threat.

IMEI and SIM cards are unique numbers used to identify mobile devices so telcos can authenticate you and your device. When apps acquire and send these identifiers to third-party servers, they can be used to physically track you and your device. In addition, with these identifiers, criminals may be able to clone a device so they can receive a user’s phone calls and text messages.

If an app can read the SMS texts on a mobile device, it can learn with whom the user communicates. For a corporate employee, this information presents a significant security breach, because criminals may use it to impersonate familiar people, maybe through another channel, to make a more successful phishing attack. SMS-based two-factor authentication, offered by Google, Twitter and many banks, can also be defeated if text messages are visible to malicious apps and third parties.

As with compromised SMS texts, an app that reveals a user’s mobile phone call history can help criminals begin building a social engineering graph on a particular user. A criminal now knows who the user calls and texts, and ultimately trusts. They will use this trust to attack specific companies by spoofing known contacts to obtain network log-ins and sensitive information.

The prospect of a company’s contact database living somewhere on a third-party advertising server connected to the Internet is a severe security breach, because it exposes critical data used for spamming, phishing and social engineering schemes. Malicious code embedded within seemingly innocuous apps, such as games and utilities, can transfer contact databases directly to servers over the Internet.

Businesses don’t want their employees’ browsing history exposed because it allows criminals to build profiles and learn what sites the employee visits, where they work, where they bank, corporate URLs visited, including Webmail servers and SharePoint sites. Equipped with an employee’s browsing history and log-in credentials, a criminal can easily gain access to a corporate network, because many people use the same password or a slight variation for every site that requires authentication.

Apps that automatically change WiFi settings on a mobile device expose employees to a variety of Web attacks. Employees can be directed to WiFi networks controlled by criminals so that all their traffic can be monitored or subjected to man-in-the middle attacks.

On older versions of Android, apps can install other apps or malware without the user’s knowledge. In fact, 1.6 percent of Android apps request permission to install apps. There is no reason for any mobile app to install another app on a device. These additional apps can be modified by criminals to seize complete control of the employee’s device without their knowledge to track SMS texts, monitor phone calls, read browser histories and modify WiFi settings, exposing the employee and the enterprise to countless forms of attacks.

A specific example of a malicious app that Marble Security Labs identified that comes preloaded on devices is a Netflix imposter. There are about 10 to 12 versions of the app, and one malicious version aimed at stealing credit card details is available for download. The lab has discovered that the malicious version is often coming preloaded on out-of-the box phones and tablets. Whoever is preloading the brand-new devices is responsible. It’s not Netflix’s fault. Similar approaches could target corporate applications, seeking remote employee log-ins and passwords—the first step in advanced persistent threats (APTs).