mobile_threat_blog_icon

Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Share

As attackers constantly innovate new exploitation and evasion techniques, enterprise security teams are having to stay ahead of a host of emerging threats. Often, these threats have been encountered in other enterprises, and shared knowledge of these threats may help prepare other security teams for similar incidents. Thus, in this post, we’re reviewing some of the top mobile threats that we worked with our enterprise customers to address so far in 2018. We’re also including some newly identified mobile app vulnerabilities discovered by our Mobile Threat Team (MTT) which enterprises should pay attention to.

Mobile Enterprise Threat 1: Abuse of Enterprise Networks

The security team at one of our enterprise customers raised concerns about mobile devices with unusual proxy activity on their corporate network. It turned out that the suspicious activity was being carried out by in-app SDKs, which use SOCKS proxies to route the traffic from other internet users through the mobile devices for monetization. Currently, these SDKs are present in 10.6% of Appthority managed enterprise environments. We’ve seen them starting in 2017 with a rapid growth in 2018.

Top 10 Apps with Network Proxy SDKs

Application Name Package Name
Fake GPS Location – Hola org.hola.gpslocation
VR Youtube 3D Videos com.ekm.youtubevr3dvideos
MP3 Cutter com.beka.tools.mp3cutter
IQ Test – How smart are you? com.plonkgames.apps.iq_test
Notepad – Text Editor com.guruinfomedia.notepad.texteditor
AudioDroid : Audio Mix Studio com.fsm.audiodroid
Battery Calibration com.nema.batterycalibration
Qr Code Reader, Barcode Reader & Qr Code Creator com.qrscanner.barcodereader
Airline Flight Status Tracker & Travel Planner com.ik.flightherofree
Simulator Survival ARK com.arksur.navol

Although we have reported these apps to Google Play, they have not been removed likely due to a varied definition of Potentially Harmful Apps (PHAs) by Google. While these apps may or may not affect individual mobile users, we would like to warn that, when active in corporate networks, they could lead to legal complications for enterprises, including GDPR non-compliance. Appthority’s recommendation is to remove apps with these SDKs from enterprise environments to avoid future incidents.

Appthority Mobile Threat Protection Details

Protect against SOCKs Proxy SDKs using these Appthority Threat Indicators:

  • Uses Monkeysocks SDK
  • Uses Luminati SDK

Learn more about Enterprise Risks from SOCKs Proxy SDKs

Mobile Enterprise Threat 2: Apps with Databases Open to the World

When it comes to enterprise mobility, security teams are tasked with mitigating exposure to the obvious yet less widely seen threats to COPE and BYOD devices such as malware and MiTM attacks. However, equally important and much more pervasive is exposure of enterprise and personal data through corporate managed, company branded, and personally downloaded mobile applications. Corporate managed private and public apps as well as company branded apps leak employee and customer data in ways enterprise security often do not have visibility into. Unfortunately, there are not many audit tools that can detect mobile app data leakage in depth.

Since May 2017, Appthority has been discovering large data breaches due to thousands of apps that connect to unsecured backend databases. Mobile app developers are exposing millions of records of sensitive data by leaving hard-coded credentials in the apps or not requiring proper authentication to app data stores. This data risk is of particular concern for enterprises because it creates an attack vector to access corporate keys and databases via EMM-managed enterprise apps, consumer-facing public apps, and public mobile apps.

The following shows the timeline of our discoveries:

  • May 2017: Apps with open ElasticSearch servers
  • Nov 2017: Apps with hard-coded credentials for Twilio API leaking audio data
  • Nov 2017: Apps with hard-coded credentials for Amazon S3 servers
  • June 2018: Apps with open Firebase servers

Poor developer practices related to securing backend data stores present an ongoing problem for enterprise security and compliance teams. Despite Appthority’s efforts to notify Google, backend providers and developers, several apps exposing data are still present on the Google Play store. You can expect this mobile app threat vector to be a continued focus of research and coverage for our customers by Appthority MTT.

This threat has been infecting the mobile ecosystem widely, and is far more common than malware or Man-in-the-Middle (MITM) attacks that enterprises have traditionally monitored for and prioritized. It’s time to protect against these risks as well since these apps not only put employee and customer data at risk, but also the enterprise’s brand and reputation with customers.

Appthority Mobile Threat Protection Details

Protect against insecure mobile app databases using these Appthority Threat Indicators:

  • HospitalGown – Firebase
  • HospitalGown – Elasticsearch
  • HospitalGown – Redis
  • Uses Known Vulnerable Twilio Hardcoded Credentials
  • Uses Twilio Hardcoded Credentials
  • Uses Amazon Hardcoded Credentials

Mobile Enterprise Threat 3: Apps with Access to Corporate Assets

As enterprise mobile security matures, security teams are continuing to safeguard privacy by blacklisting social and dating apps due to privacy concerns. But increasingly, they are also interested in protecting enterprise documents and other data assets from exposure risks related to audio and camera usage within their corporate environments.

The graph below shows the number of Android and iOS apps with such data access in enterprise environments. While it is not yet a widely used security practice to ban personally downloaded apps with this functionality, detection of these capabilities, for use with managed public and enterprise apps, has been growing in importance for security teams in finance, government and aerospace. Appthority expects adoption of these detection capabilities to increase as awareness grows in other verticals.

 

Appthority Mobile Threat Protection Details

Appthority Threat Indicators protecting our customers against insecure mobile app databases:

  • Records Audio
  • Uses Camera
  • Can Open PDF Files
  • Can Open Microsoft Powerpoint Files
  • Can Open Microsoft Excel Files
  • Can Open Microsoft Document Files

Summary

These mobile threats are risks that enterprises often don’t see because they come from apps that are present in the official app stores. They underscore the need to go beyond app store vetting, malware and network checks in order to address privacy and data loss exposure. Automated visibility and protection against these types of mobile security threats at scale is possible with the a Mobile Threat Protection solution with very deep app analysis and actionable mobile threat intelligence.

 

Back