By Chris Dawson
JUST as early malware primarily targeted a single OS (Windows), mobile malware remains almost exclusively a problem for Android. However, it appears that Stagefright has served as something of a wake-up call for the industry—Android devices are more vulnerable than they should be and the mobile-threat landscape just got a lot more worrisome.
Stagefright, of course, was front and center at Black Hat last week and Google, device OEMs (original equipment manufacturers), carriers and messaging apps have been unusually quick to begin rolling out security fixes to address the vulnerability. Stagefright, though, is actually an Android library that is deeply integrated into the OS. Any unpatched device running Android Version 2.2, or above, is potentially vulnerable to exploits that require no user intervention to run. Users simply need to receive a crafted multimedia message, which can enable transparent remote code execution. Stagefright, however, is hardly the only red flag we’re seeing around mobile malware, in general, and Android, specifically. Fortinet’s Axelle Apvrille wrote about Android/Locker, a recent bit of ransomware that can also act as a remote backdoor to your device.
IBM researchers presented a newly discovered vulnerability in Android that would allow seemingly innocuous apps to elevate their privileges and take over a device. The device could then be used for any number of purposes, including launching attacks on networks and exfiltrating data.
Obviously, we’re no longer operating in the realm of annoying adware. The 2015 Verizon Data Breach Investigations Report noted that mobile malware was not yet a significant problem in the context of data breaches:
We are not saying that we can ignore mobile devices—far from it. Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they’re using now. When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.
As Stagefright, in particular, has highlighted, fragmentation in the Android market is especially concerning. Google has committed to updating their flagship Nexus devices on a monthly basis now, but these represent only a small fraction of Android devices on the market. Unpatched security holes are the norm, unfortunately, rather than the exception and the heterogeneity of user devices further complicates management in BYOD (bring-your-own-device) and corporate deployments.
At the same time, layers of security remain the name of the game. This doesn’t just mean the use of endpoint security or firewalls (although those are critical components). Setting policy about the types of allowed devices, for example, can increase security without being overly restrictive. For example, versions of Android above 4.0 have some internal mitigation measures that help protect against the Stagefright vulnerability even if the device hasn’t been specifically patched to prevent related exploits. It is completely reasonable for employers to require devices running Android 4.0 and above as part of their BYOD policies.
This is just the tip of the iceberg for mobile malware. Point-of-sale systems, servers, and applications are routinely compromised and it’s time that we add Android devices to our growing attack surface that we protect with the rigor and vigilance of systems that don’t fit in our pockets.
Chris Dawson is director of content for Fortinet Inc., a Sunnyvale, California-headquartered American multinational corporation that sells high-performance network-security products and services. The views expressed in this abridged version of Dawson’s article does not necessarily reflect that of the Businessmirror’s. For Dawson’s full article, go to http://blog.fortinet.com/post/i-ve-got-99-problems-and-quite-a-few-of-them-are-android.