Who Else is Watching While You Work?
The scrutiny brought up from Amnesty’s research earlier in the year into Pegasus and the associated attention from the press has brought the subject of mobile malware right back to the front of ours and our customer’s  thoughts. 
Privately funded software groups have been leveraging unreported zero-day vulnerabilities to compromise targeted mobile devices, in order to gain access to data. While this is not a new phenomenon, it does not mean that this is still not a potential threat. 
There are many ways to increase the security of your mobile device estate and to ensure you have a good level of protection against Pegasus and other mobile-related malware. 
This article covers some of the things you should be considering, but it’s not exhaustive. If you think you need some help in understanding what you have and what you may need, we can help. 
SMS Phishing
SMS phishing is increasingly common. Hackers will send a link via text message, usually, the text will indicate you have won a competition, or that someone might have logged into one of your accounts. Once you click the link you will be directed to a web page which has been designed to look exactly like the company they are impersonating, this web page will ask for your credentials which will then be captured by the hacker. Alternatively, the web page will try to download malicious software onto your device. 
TECH TIP: Challenge and empower your userbase to identify, ignore and delete unsolicited messages with click-through links.  
Also, applications requesting permissions they don’t need are suspicious, aren’t they? Unless there is a logical reason for the application needing it then it’s usually pretty safe to decline it. If the option exists, the permission should only be granted for the duration that the app is open.
User Training 
Cyber security awareness combines knowledge, and proactively working towards protecting your business. If you make sure your employees are aware of cyber-related risks by helping them to understand what cyber threats consist of, how potential attacks can affect the business, and how to help in preventing any attacks, you are one step closer to having a business that is cyber secure.
If you don’t have a formal user awareness training programme in place, consider how you can do this. There are many tools available to help, get in touch to learn how we can assist you.
Mobile Based Network Protection 
A common attack method for mobile devices is unsecured or untrusted Wi-Fi networks. Hackers may set up a “Wi-Fi Honeypot” which is basically a fake wireless access point, to trap unsuspecting visitors at a specific location, this could be an issue if your employees work from cafes, or even if they’re visiting other companies for meetings and connecting to their Wi-Fi. Even if the Wi-Fi network you’re connected to is legitimate but simply unsecured, hackers can eavesdrop on your connection to gather info. Any data that is transmitted in an unencrypted format, could potentially be intercepted by hackers, for example, plain text fields used for services that require a login. Hackers could then use stolen credentials to access personal accounts, company data, or could even sell your login data to third parties.
Can you detect if one of your mobile devices has connected to a Wi-Fi network with a Man-in-the-Middle attack that can be reading and exfiltrating your company data?   
The way to protect against this must be done on the mobile device itself; whatever mobile device security/management solution you have, you need to be confident that it will protect against network-based malware events.
Staying Patched 
Because a threat is not a zero-day does not mean it can’t compromise an unpatched device. Mobile Device Management can help with device inventory and tracking, app distribution, password enforcement, app whitelisting and blacklisting, data encryption, and remote wiping. Unfortunately, MDM’s do not detect mobile threats or notify users that threats exist on their endpoint, this is where mobile security is required to close the gap.
Additionally, confirming patching status, which is bringing the capability of being able to track and remediate unpatched end-user-managed devices, is another part of the defensive arsenal. Responding quickly to patch updates helps to decrease the chances of a data breach that could occur amongst unpatched software.
Mobile App Malware Detection 
Living in a world that is becoming increasingly mobile, threat actors are constantly seeking new mobile infection vectors, and working on more effective ways to breach security protections put in place.
Anti-Virus is a well-known requirement across the traditional endpoint estate, and with the rapid adoption of mobile devices for day-to-day corporate use, some similar considerations are needed for the mobile estate.  
Controlling allowed applications isn’t enough here, as there have been known cases of published applications from legitimate organisations that have unfortunately been infected with malware. 
This also includes elements of web browsing filtering, not only from a content point of view but also considering malicious and suspicious sites, blocking one of the most popular routes of phishing and malware loading. 
Bring Your Own Compromise 
Another consideration is that ultimately, even if the company mobile is secured, if the user has a personal mobile sat next to it and that was the target of the compromise, then the value to the attacker can be near equal if their target is audio interception. In a day of working from home and flexible work, a draconian request for staff to place “personal phones in lockers” probably isn’t a suitable approach.
So, what is? Ultimately, it would be the user exercising the same good judgement on their personal devices. We have also seen some organisations provide their employees with the same types of tools and solutions to protect their personal devices, and with the rise in SMS phishing, most users are happy to accept the help! 
Visibility & Indicators of Compromise 
If your mobile devices are generally connected to a network under your control, then there are some Indicators of Compromise (IOCs) that you can consider reviewing using a SIEM/threat hunting tool to look for: 
https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso 
If you do not have visibility of your company’s mobile devices happenings, then how do you get it? Get in touch with us so we can help you through this process and help you to ensure your mobile devices are fully protected.
Watch our recent Tech Tip Tuesday where Paul and James discuss mobile security.
