Mobile Malware: From Consumer Fraud to Enterprise Espionage

Thirty-three percent of organizations admitted to suffering a compromise that involved a mobile device, according to the Verizon Mobile Security Index for 2019. That’s up 27% from 2018. The data is telling us that it’s time to secure mobile, and yet our understanding of these threats is severely lacking.

What does mobile really even mean?

Do we consider mobile’s history, which dates back to the 1980s, or do we limit mobile to smartphones? Is the Surface Pro a mobile device or a laptop?

Learn about the future of endpoint protection platforms in our webinar with Sam Curry.

Who does defending mobile fall to? The consumer? The hardware and software producers? The enterprise?

Consumer Fraud with Mobile

At SANS Pen Test HackFest Summit this year, Jeroen Beckers from NVISO, co-author of the OWASP Mobile Security Testing Guide and OWASP Mobile Application Security Verification Standard, spoke about mobile malware and its impact on the consumer.

In his talk, he highlighted how mobile malware is gaining popularity and explained the top consumer-related threats on mobile devices: ransomware, subscription scams, ad fraud, and premium text fraud.

Some key takeaways from his talk were:

  1. It’s very easy to steal source code from the Android store and develop mobile malware posing as a legitimate, signed application.
  2. OWASP is one of many organizations pushing to address mobile. Other organizations like MITRE ATT&CK are also adding to their framework to help defenders classify mobile malware.

All things considered, small potatoes when compared to an enterprise-level attack. But it got me thinking...the enterprise is a much larger and more lucrative target for mobile malware, especially for adversaries with different goals over financial gain.


Mobile devices are the gateway to on-device corporate data, and more importantly, the corporate network. What threats to the enterprise do these devices pose?

Take these two examples:

TARGET FOR MOBILE MALWARE: On-device Corporate Data

The CFO of the startup WeRaiseMoney is in meetings all day, so he periodically checks his email on his smartphone. This is typical for most people, as 65% of emails are first opened on a mobile device.

He received an email that claims to be from the CEO labeled “URGENT QUESTIONS ON FUNDING” with what looks like a link to a Google Doc. Naturally, he opens the (phishing) email, which is three times more likely to happen on a small screen or mobile device than it is on a traditional laptop computer.

When the CFO clicks on the link, instead of opening a Google Doc, the malware surreptitiously downloads and installs spyware to the device. The spyware gives the attacker access to some of the main functionality on his device, including storage, network tapping, authentication, business functions, and surveillance features via the microphone, camera, and GPS. They now have virtually total control over the device, and can steal corporate data, personal data, or continue to monitor the individual as they wish.

Key takeaway: It is very easy to fall for an email link that may seem benign, but actually isn’t, especially on smaller screens. Because of our familiarity with mobile devices, with them always on us, we may be lulled into a false sense of security. It is almost more important to be careful with our mobile devices than it is to be careful with our laptop, as mobile devices mix personal and private data regularly.

TARGET FOR MOBILE MALWARE: Access to the Corporate Network

A security analyst investigates an incident of attempted ransomware on corporate computers. An alert gives her some insight into the attack, including some lateral movement across the network, a dropped ransom note, and attempts to lock files across multiple machines. With existing controls, the ransomware was prevented immediately and she could see the majority of the attack tree, but she couldn’t find the true root cause of the incident.

So what can she do? Remediate what’s visible and move on, without understanding where the attack actually started?

For a lot of teams, this is all they can do. They don’t have the tools to fully resolve an incident like this.

“This sounds familiar. With security operations, too often must the security team play whack-a-mole just to stay above water.”

- Maor Franco, Director of Partner Marketing at Cybereason

Those that have the option may use other tools separate from their existing controls, like mobile threat detection or mobile EDR. But they still have to manually connect the dots between the attack they see on the network through existing controls and the attack they see through additional tools. If they can even access data about the incident, they still have to manually correlate it from siloed security tools and link multiple devices to a single entity (laptop-identity-mobile), adding more time to remediation and more room for analyst error.

Key takeaway: It’s a huge mess of a task for an analyst to track down the root cause of an attack involving traditional and next-generation endpoints when security tools are siloed.

You can’t prevent, detect, investigate, or remediate what you can’t see.

- Click to tweet

Closing Thoughts

Mobile - specifically smartphones, tablets, and point of sale devices, now account for over half of Internet traffic worldwide, not to mention the growing number of IoT and other devices. It has become a necessity to take mobile security seriously, but the numbers show less than a third of businesses with individuals in charge of the procurement and management of mobile devices have even the most basic mobile endpoint security.

“Mobile security must become a first class citizen in the eyes of security operations teams. You would not tolerate this lack of visibility and controls on a traditional endpoint, would you?”

- Maor Franco, Director of Partner Marketing at Cybereason

Is your organization addressing mobile threats? Help us better understand this problem from the SOC perspective and leave us a note.

Interested in learning more about the future of cybersecurity? Watch our webinar on 2020 security predictions.

Cybereason Team
About the Author

Cybereason Team

Cybereason is dedicated to partnering with Defenders to end attacks at the endpoint, in the cloud and across the entire enterprise ecosystem. Only the AI-driven Cybereason XDR Platform provides predictive prevention, detection and response that is undefeated against modern ransomware and advanced attack techniques. The Cybereason MalOp™ instantly delivers context-rich attack intelligence across every affected device, user and system with unparalleled speed and accuracy. Cybereason turns threat data into actionable decisions at the speed of business.

All Posts by Cybereason Team