Augusto Morales is a Technology Lead (Threat Solutions) at Check Point Software Technologies. He is based in Dallas, Texas, and has been working in cyber security since 2006. He got his PhD/Msc in Telematics System Engineering from the Technical University of Madrid, Spain and he is also Senior Member of the IEEE. Author of more than 15 research papers focused on mobile services. He holds professional certifications such as CISSP, CCSP and others.

In this powerful interview, cyber security expert Augusto Morales shares what he’s observed within the mobile threat landscape and highlights actionable steps that can help organizations and individuals protect mobile devices.

How has mobile malware changed and evolved over time?

Mobile malware has evolved rapidly. In the past, cyber criminals focused on the lack of security controls of OS and low controls on app stores in order to carry out malicious activities. However, as these two areas have evolved, malicious actors are importing techniques and tactics from the general threat landscape into the mobile world.

This situation has occurred due to the low penetration of mobile security into personal and enterprise environments. What is interesting is that recent attacks on the software supply chain, such as Sunburst, created massive panic, but in the mobile world, these kinds of attacks had already happened few years before with e.g. Xcode Ghost. However, the outcome was not the same.

Fraud, identity theft, service disruptions, and credential theft are still on the rise despite of the efforts of hardware and software vendors. This is mainly because of the difficulty in maintaining a precise balance between the human, and the systems (and its processes). Malware developers will continue to abuse the human and trick users into installing applications and clicking on links for as longs as mobile devices remain as keys to digital identities.

Would you be able to share key statistics around current mobile malware trends?

Mobile malware occupies a critical place in the cyber attack space. Twelve percent of corporate networks have been attacked using mobile vectors, according to the latest Cyber Attack Trends report released by Check Point in Mid-Year 2022. And from 2021 to 2022, there was a 14% increase in companies suffering a compromise where mobile devices were involved.

How is Pegasus spyware (and similar) impacting businesses, if at all?

Attacks like Pegasus turned the public’s attention to how mobile devices are vulnerable, and the potential impact on democracy and human values. Even though it is difficult to manage state-sponsored cyber attacks, there are definitely attack vectors that can be stopped, such as smishing and malware on mobile devices. I think Pegasus has opened the eyes of our executives, managers and administrators to the importance of securing and controlling OS devices for purposes of maintaining business continuity and data privacy.

In what ways are businesses weak when trying to prevent mobile malware threats?

Modern mobile OS were defined with security principles, such as sandboxing and a strong sense that the “root” user, which in this case is the human, has the ultimate power over what is done. The challenging part is to apply traditional endpoint security controls over architectures that limit the ability to enforce protections. In turn, this creates technical problems and challenges in terms of operational security. Administrators find themselves with problems deploying mobile threat defense, modifying OS parameters and also convincing users (especially in ‘Bring Your Own’ scenarios), to follow best practices.  Businesses struggle to apply least privilege concepts on mobile devices and at the same time comply with regulations that demand e.g. Multi-Factor Authentication (MFA). Part of the solution is to understand the specific surface of attack and to create a balance between usability and security.

How can businesses avoid mobile malware when they ask employees to use their own devices for work purposes? (BYOD)

BYOD is a very interesting concept. While it enables and makes business much more agile, it comes with visibility challenges. That is why it is sometimes called “Bring your own disaster”. Businesses must understand what applications employees are using and how business data flows across stakeholders. There are approaches to secure BYOD, such as using Mobile Application Management (MAM), where only corporate apps are controlled and work in conjunction with a Mobile Threat Defense Solution. Also, with some specific frameworks, such as Android for Enterprise, employees can maintain privacy of private data but simultaneously enable work-related activities. Mobile malware can reach phones in many ways, from an innocent download link clicked by naïve persons or by advanced or targeted phishing attacks via an SMB. Nevertheless, it is key to maintain visibility not only once the malware is about to be installed by the person, but also by inspecting encrypted traffic when data is in motion.

Please share recommendations for CISOs in relation to mobile security:

• Define a very specific mobile security policy that covers all attack vectors. Mobile malware can affect business operations, but Wifi attacks, Bluetooth exploitation and OS vulnerabilities can also harm businesses. The mobile security policy must clearly define the type of applications allowed and the countermeasures to mitigate the restrictions of BYOD. There must be an OS hygiene and stipulations about keeping the OS updated, and avoiding risky configurations such as USB debugging.
• Without visibility there is no control, and it applies to the mobile world too. Installing a Mobile Threat Defense solution such as Harmony Mobile is imperative to prevent danger and to identify the usage patterns in order to correct any deviation of the mobile security policy.
• Understand and correlate mobile security events with other platforms. The mobile environment is not isolated. Any situation should be investigated and a forensic report should be generated. This will help avoid situations where attacks starting on mobile devices (via compromised phones), affect privilege account management processes and hamper Multi-Factor Authentication at all levels. C-level audiences are frequently targeted so there should be a specific task force to assess and mitigate attacks.

How can CISOs prove that this is a real business problem when talking to executives?

Mobile attacks have been increasing. At Check Point, we have debunked the myths vs. realities of mobile security. We have identified vulnerabilites even in chipsets of OS that can compromised all data in phones. In the last few weeks, even Apple has acknowledge the importance of securing IOS devices, and Google has recently shared information about how seriously they take security.

Targeted attacks, such as Pegasus, have evolved despite the effort of cell phone makers. And mobile malware in public application stores has not disappeared despite alliances between security vendors. As mobile devices increase their value in our lives, cyber criminals will definitely shift their efforts towards compromising the personal and corporate data on them.

What types of mobile malware security solutions should enterprises adopt?

A Mobile Threat Defense solutions (MTD), is the most recommended security control for  enterprises. They can even work on top of existing MDM/UEM solutions so they can compensate and complement typical mitigation actions, such as remote wiping and removing/adding apps. There is a misconception around mobile antivirus; that even if it is effective in identifying known malware, it cannot stop other attacks vectors, such as Wifi Attacks, DNS poisoning or OS exploitation.

To highlight a typical use case, let’s imagine a person sitting in an airport lounge. Across the room there is a malicious actor with Wifi hacking devices (e.g. a Raspberry Pi), trying to poison the DNS and perform a Wifi attack. An MTD solution will detect these malicious activities, trigger a conditional access rule, and finally notify that situation to the corporate MDM. These sort of protections and reactions cannot be solely performed by a regular mobile antivirus.

What are your predictions around the future of mobile malware threats and solutions?

Smishing via mobile devices will increase. As MFA policies become mandatory, hackers will try to compromise phones using different tactics and techniques. Companies will have to put resources in place to investigate and make root cause analyses to assess mobile environments. Mobile banking trojans will increase as they take advantage of the pervasiveness of QR codes and SMS. Mobile malware has become more sophisticated and harder to deal with as cyber criminals use their experience acquired from the endpoint world.  Finally, malware attacks will keep targeting everyone everywhere, as they can be used to breach organization-owned assets.

Lastly, to receive more timely cyber security news, insights into emerging trends and cutting-edge analyses, please sign up for the cybertalk.org newsletter.