In January 2020, the United Nations released a dynamite report. It alleged that the personal smartphone of Amazon boss Jeff Bezos had been hacked by Saudi Arabian crown prince Mohammed bin Salman. According to the findings, a booby-trapped MP4 file arrived on Bezos’s iPhone via a WhatsApp message from the prince, covertly downloaded spyware, and began exfiltrating hundreds of megabytes of data. All of which begs the question, if the richest person in the world can have his phone hacked, how secure are the devices used by your corporate executives?
Fortunately, most mobile cyber-espionage threats aren’t nearly as sophisticated. But they are on the rise. Tackling them will require a considered approach combining a best practice blend of people, process and technology.
Spying goes mobile
Customer data has always been in high demand on hacking forums and dark web marketplaces, where it’s usually snapped up by scammers to use in follow-on identity fraud. Despite the advent of rigorous new data protection regulations such as the EU’s GDPR and CCPA in the US, activity in this area appears undimmed, for now. However, cyber-espionage is typically a more sophisticated marketplace where specific organisations are targeted for high-value internal data that could give rivals a competitive advantage or be used to commit stock market fraud.
While desktop, on-premises infrastructure in large organisations is relatively well protected, the same isn’t always true of the mobile ecosystem. From 2015 to 2019, Trend Micro observed a 1400% increase in mobile cyber-espionage campaigns targeting multiple platforms, operating systems and countries. Some are the work of state actors while others are down to financially motivated cyber-criminals. The bad news is that organised cybercrime groups traditionally associated with desktop attacks are increasingly scrutinising mobile channels to further their goals.
Android remains the most commonly targeted ecosystem, as its relatively open approach means malicious apps are more likely to find their way online. That’s not to say iOS is completely untouched. The malware believed to have infected Bezos’s iPhone could be related to Pegasus, notorious spyware flagged in the past by rights groups as being used by despotic regimes to monitor dissidents. Popular with East Asian cyber-criminals, XLoader and FakeSpy target both Android and iOS platforms to harvest sensitive information.
Typically, the kind of malware we’re talking about in these attacks is designed to exfiltrate a range of information to remote C&C servers. This could include basic device ID (IMEI), OS version and operator information, but also messages — even on ‘secure’ services like WhatsApp and Telegram — stored files, clipboard contents, call logs, contact lists, browsing history, account log-ins, geolocation and application lists. Attackers could access an individual’s entire digital life and any corporate accounts not protected by 2FA via spyware of this sort, harvesting highly valuable intelligence on the target and their organisation.
There are various ways they trick the individual into installing the malware on their device. Most commonly the malicious code is hidden in a legitimate-looking application: perhaps a game, adult content or something more mundane such as a web browsing app or B2B service provider software. It’s then loaded onto a fake website or app marketplace; usually a third-party store, although malware has been found frequently on the official Google Play site. The final step is to persuade the user to visit and download it: usually achieved via phishing email or text message (smishing).
Hiding in plain sight
Trend Micro has tracked multiple spyware campaigns using such tactics over the years. In 2019 alone there was Bouncing Golf, which used malware capable of recording audio and video as well as stealing information, and which was posted on websites and promoted on social media. CallerSpy featured spyware disguised as chat apps and hosted on a phishing site masquerading as a Google page, while MobSTSPY harvested users’ account credentials and was downloaded more than 100,000 times from Google Play.
To increase the chances of victims downloading the malicious apps, hackers will often leverage stories in the news and popular current services. We have already spotted one campaign disguising spyware as a Coronavirus Updates app, for example, while another featured a malicious Zoom installer.
In some extreme cases, organisations may even be targeted with highly sophisticated exploits developed by grey-market organisations which typically sell them to foreign governments. This is where Pegasus came from. Threats like this can require little to no user interaction to work, but fortunately are extremely rare, and expensive to buy.
The threat landscape is a volatile but dynamic environment, meaning tools and tactics will continue to develop in this space. The bad news is that as cyber-espionage becomes more commonplace on mobile devices, the cybercrime underground is likely to see a proliferation of readymade toolkits enabling even those with few technical skills to get involved. This poses a threat to organisations everywhere, especially high-value executive targets.
Yet despite this, there are a few things you can do to greatly reduce the risk of being caught out. It starts with user awareness training. Ensure your employees know how to spot the tell-tale signs of a phishing email or text. This should be an ongoing process: the best training kits will allow you to update modules to feature the latest phishing campaigns.
Next, revisit your device usage and management policies. In highly regulated industries it may be that employees are not allowed to access any corporate resources from anything other than a highly protected work device. Individual CISOs will need to work out their risk appetite and budget and calculate whether certain users require their own corporate handsets. Policies could be drawn up to restrict downloads of any non-approved applications or visiting any non-approved sites. Back this up with technical controls: AV software on each device to scan for malware and block any malicious downloads. Enhance corporate security further by mandating all accounts accessible remotely have two-factor authentication enabled.
Gartner predicts that as many as three-quarters of CFOs plan to shift at least 5% of previously on-site employees to permanent remote working post-COVID. The future is increasingly mobile, so it pays to get ahead of the game to protect the organisation today.