Threat Research Blog

The FireEye Mobile Threat Report

Today, we released our mobile threat report, called "Out of Pocket: A Comprehensive Mobile Threat Assessment of 7 Million iOS and Android Apps."  

The report shows that, in the Android world, mobile devices combine sensitive personal data, photos, owner location and much more with sensitive business information, contacts and intellectual property. They also give attackers a new vector for attack. Based on an analysis of over 7 million mobile apps during 2014, our findings indicate that mobile users face risks on many fronts today including:

        * Malicious apps that steal information once installed

        * Legitimate apps written insecurely by developers

        * Legitimate apps using insecure but aggressive ad libraries

        * Malware/Aggressive Adware that pass Google Play checks and are thus assumed ‘safe’

        * Identity Theft

        * Premium rate phone and SMS fraud

While malware on Apple's iOS platform is still very rare due to the strict review process of the iOS app store, other risks are evident. We identified a new delivery channel for iOS malware that bypasses the Apple App Store review process. Attackers can take advantage of enterprise/ad-hoc provisioning to deliver malicious apps to end users, either through USB connections or over the air. We found more than 1,400 iOS apps publicly available on the Internet - signed and distributed using enterprise provisioning profiles - that introduce security issues.

What does this mean for CISOs?

Mobile devices are being adopted across the world. PC manufacturers see sales in PC’s and laptops declining as consumers choose simpler, lighter devices to make life easier. We spend more time on our mobile devices than we do watching television. The apps that we choose to install, rather than using a webpage, improve the online experience and ensure the user comes back again and again. We have reached a significant inflection point in how users interact with the Internet.

Apps are the future for online experiences to complete our jobs, shop, bank, use social media and many other purposes in modern daily life. Our mobile devices are also the most important piece of equipment we have today; they contain our diaries, contacts, emails, photos, videos, employer information and many other pieces of important and sensitive information. Yet our mobile devices still do not have sufficient security to ensure they, and the information they contain, are secure.

While mobile devices face security and privacy risks from manufacturers, network providers and website operators, app stores and app developers represent the most significant risk to mobile devices. The apps we download and their subsequent behaviors threaten all information on the device:

        * The app themselves can copy personal contact details and uploads them, take details of all                     apps installed, or track GPS co-ordinates. 

        * Adware can have malicious intentions, stealing bank account details, copy emails, collect VPN                 credentials.

        * And of course no developer is infallible: they will always write code that has security                                 vulnerabilities that leave the app open to attack.

As consumers and enterprises, we need to better understand what an app does.

Legitimate app stores are working hard to identify apps that are harmful. However, attackers will continue to remain ahead of security checks needed to ensure an app is available for download. Third-party app stores, while providing app content not available elsewhere, provide a safe harbor for many more malicious apps to be available.

App store providers, app developers, organizations and consumers need to better understand the threats and risks they face from mobile apps today. Understanding app behaviors needs to be a key part of user awareness for consumers. For enterprises, mobile devices and the apps they have installed should be considered a key part of your endpoint strategy to understand and secure.

You can see the full report here.