Skip to main content

The top mobile threats of 2016

2016 has been a whirlwind of hacks and mobile threats, leaving enterprise private data at risk. From the DNC email leak to the 1.4 billion Android users affected by a vulnerability in TCP, our mobile-first world is more exposed than ever. And while the average enterprise may not think they’ll be the next security headline, without taking steps to prevent these threats it’s not a matter of “if,” but “when.” 

For enterprises to stay secure, it’s important to both look back and understand where the big risks and outside threats have been coming from, as well as be thinking ahead and preparing for what is likely to change and impact the business next.

If we learned anything in 2016, it’s that mobile threats are not going away – if anything, they’re growing, multiplying and becoming increasingly sophisticated. While there’s no perfect crystal ball, I do expect to see some new trends and patterns emerge in 2017 that CISOs need to be ready for. Here is a look at some of major threats discovered in 2016, and what these threats will look like in 2017. 

2016: Discovery of Pegasus

Any targeted attack is cause for concern for enterprises and Pegasus spyware tops the list at one of the biggest mobile threats of 2016. Pegasus, an iOS threat that used three zero-day vulnerabilities that we named “Trident,” rooted victims’ devices and began spying. This allowed hackers to access messages, calls, emails, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, FaceTime, Calendar, and others.

Pegasus is one of the most sophisticated threats ever seen on any endpoint because it took advantage of how integrated mobile devices are in our lives, from Wi-Fi connection and GPS to passwords, email and contact lists, all on from one singular device. 

2017: Widespread targeted attacks on mobile

Nation state-level actors have long targeted enterprise and government PC and server assets for espionage. With more enterprises and government agencies moving to a heavily mobile environment, coupled with the success of 2-factor authentication via the mobile device, endpoint security is going to become even more important. All major nation state actors will be found attacking mobile devices to gain access to key assets. 

2016: Rooting-malware threat

Rooting malware isn’t new, but 2016 remained a popular year for this tactic. With root access, malware authors have greater leverage over a device and can cause issues ranging from annoying adware to malicious spyware, which is concerning for any person or business wanting to protect sensitive data. A couple of notable examples from the year include LevelDropper and Shedun, which show how these threats are continuing to grow and evolve. 

LevelDropper was a brand new family found in the Google Play store, showing that even apps from seemingly legitimate sources can pose risks. It stealthily rooted mobile phones and went on to install risky applications on victims’ devices.

The large malware family, Shedun, is known for posing as legitimate apps such as Facebook, Twitter, WhatsApp, and Okta’s enterprise single sign-on app. This family was originally discovered in 2015, but it saw a significant resurgence as the malware authors released new variants under the name Hummingbad or Hummer, showing that its creators are continuing to evolve the threat with new functionality and new modes distribution. 

2017: Ransomware goes mobile

2016 saw the mainstream evolution of ransomware on the PC; 2017 will see it move much more significantly to the mobile environment.  We have seen ransomware beginning to affect Android already - 2017 will see the proliferation more significantly, especially against important IOT devices.

2016:  The “Pretenders”

Malicious apps masquerading as real apps is one of the most popular distribution techniques for mobile malware, and 2016 proved that. In May alone, we found five mobile malware families that were impersonating legitimate enterprise apps and games. The apps represented themselves with the real app names and packaging, and included big name apps such as Facebook, Dropbox, ADP, Cisco, VMWare and Skype.

Hackers also took advantage of holiday shoppers by pretending to be brand name apps including Dillards, Uggs, Zappos and hundreds of others in the iOS and Android app stores. 

The “pretender” apps allow attackers to access private information such as credit cards and banking credentials. Those who download the fake apps have the potential to be victims of identity theft, credit card theft and even could be sent illegitimate items. Attackers use the apps to access other information on phones as well, such as a victim's location. 

2017: Increase in “commodity” malware

The Chinese market has long been the source of much of the commodity Android malware we see. Over the past two years, China has increasingly embraced the iPhone (Q3 2016 was the first time that China revenue from the iOS app store surpassed US revenue) suggesting that we could see similar iOS malware innovation out of China. The holiday shopping malware targeting iOS and Android mentioned above was the beginning of a trend we expect to intensify during 2017 as hackers expand their commodity malware attacks beyond Android and across all operating systems. 

2016: Device vulnerabilities

Vulnerabilities, or flaws in software code, made a large impact on Android and iOS devices this year, giving attackers access to devices and personal data. 

In August, researchers discovered a serious vulnerability in TCP that Lookout determined also affected around 80 per cent of Android, or around 1.4 billion devices. Attackers were able to obtain unencrypted traffic and degrade encrypted traffic to spy on victims, raising concerns for enterprises since attackers were able to spy without executing traditional “man-in-the-middle” attacks. Quadrooter, a collection of four vulnerabilities for Android phones, also made headlines in August. DirtyCow and Drammer, two distinct Android vulnerabilities we reported on in November, allowed an attacker to root or completely compromise a device.

Vulnerabilities do not just occur in operating systems, but can occur in any type of software system including mobile applications. This year, Lookout found a vulnerability in an app made for the Black Hat conference that allowed anyone to sign up making it easy for impersonators to create profiles. Black Hat disabled the feature ahead of the conference. 

2017: Mobile IOT attacks

Android devices are the base of a huge part of the Internet of Things (IOT) - Android TVs, android-based medical devices, android light switches, and android cars.  2016 also saw the IOT botnet called Mirai that took down major internet providers. Given the number of unsecured, connected devices that are infiltrating our homes and workplaces, this is the first indication in the evolution of size and scale of botnet-type attacks that we can expect to see during 2017. With 2 billion smartphones in use worldwide, just imagine how major of a force they would be if used for this type of attack. It's a scary, but very real possibility, if the security of these devices is not prioritised.

Mike Murray, VP of Security Research, Lookout
Image Credit: Nito / Shutterstock