Security Teams Must Prioritize Risk Mitigation Against Android Malware

Few of us could have imagined that a device that allows us to talk to anyone from anywhere at any time would morph, in just a few years, into many users’ computing device of choice. The latest numbers from StatCounter reveal that mobile devices are outpacing desktops and are the preferred method for accessing the Internet. The most popular operating system worldwide? Android.

Threat actors watch these trends too. They’re opportunistic and will focus their efforts where they believe their success rate will be the highest. So naturally, many are targeting Android devices and taking advantage of malware to launch attacks. 

As an open-source tool, Android provides the benefits of collaborative applications (apps) and innovation; however, its accessibility inherently exposes it to exploitation by malicious actors. In the past year, while some users fell victim to targeted social engineering campaigns that infect their devices, most malware was embedded in malicious apps users inadvertently downloaded from official and unofficial sources. With the greatest number of users, Android’s official app store Google Play has been the largest single source of infection. However, most of the sources of infection were other third-party stores. 

Users are duped by apps that pose as legitimate resources or services, or that are advertised fraudulently by displaying branding associated with credible organizations. Apps have been found that impersonate Uber, any number of financial institutions, gaming apps and perhaps most galling, security apps. Mobile malware is generally delivered and deployed via a multi-step process requiring some user interaction. This presents threat actors with many opportunities to infiltrate a device. For example, once installed, many malicious apps request users to approve unnecessary privileges, such as administration access, to execute processes. Overlays (superimposing phishing screens on a legitimate app) are also used to prompt users to provide sensitive information, such as credentials or financial data. 

So, what’s the ultimate endgame for cyber criminals? The most prevalent objective is espionage – gathering information through profiling device data or recording phone calls and messages. Mobile banking malware, such as Marcher and BankBot, uses sophisticated techniques to harvest user banking data, including overlays specific to target banks, and intercepts SMS messages to obtain multi-factor authentication codes. Recently, mobile devices have also been targeted for cryptocurrency mining. While less powerful than desktops and servers used for this purpose, more Android devices exist, and they are often less protected and, thus, more easily accessible. You can expect this objective to continue to grow as smartphones become more powerful.

Security teams must now prioritize risk mitigation against Android mobile device malware. But after surveying more than 3,600 security professionals across 26 countries, the Cisco 2018 Security Capabilities Benchmark Study found that mobile devices are the most challenging areas and functions to defend. Implementing the following 10 practices will help: 

1. Use the official Google Play store and only download Play Protect-verified apps and those from legitimate companies. 

2. Only enable limited permissions for downloaded apps. 

3. For business devices, use mobile device management solutions to give IT security staff control to set access permissions and restrictions.

4. Do not root business devices; rooting allows root access to the Android operating system code and preventing it discourages unauthorized administration privilege access. 

5. Deploy endpoint antivirus solutions on individual devices. 

6. Ensure that mobile device operating systems are up to date.

7. Use runtime application self-protection (RASP) to prevent overlay attacks by detecting and blocking malicious activity in real time. 

8. For BYOD enterprises, establish user policies that forbid connection of employee-controlled devices to corporate infrastructure. 

9. Educate employees on threats associated with SMS phishing and mobile device browsing. 

10. Monitor mobile applications, not just third-party apps but internal company mobile apps that may have been modified by a third party. 

Android devices, and smartphones in general, will continue to be attractive targets for cybercriminals, particularly as these devices become more powerful, offer longer battery life and plug into keyboards and other peripherals to easily serve as a user’s computer. But with a multilayered approach to security that includes best practices and a defense-in-depth strategy, security teams can overcome many of the challenges they face when mitigating risk from the PC we carry in our pockets.