Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

An increase in mobile targeted threats is putting organizations at risk of cyber-espionage

Lacoon Mobile Security has warned that Mobile Remote Access Trojan (mRATs) infections of smartphones is increasing and bypassing encryption and sandboxes solutions. This statement is made based on the results of its research that discovered one in 1,000 smartphones has mRAT spyware installed. Conducted in partnership with global mobile network providers, the study sampled 2 million subscribers in late October 2012. It found that of 52 percent of infected devices were attributed to iOS and 35 percent to Android-based mobile devices. The study showed how the mRATs were capable of intercepting 3rd party applications, such as WhatsApp, despite their guarantee of encrypted communications. The worrying element of this trend is that, with enterprises rapidly adopting mobile device management solutions, mRATs can bypass their security controls in the same manner.

Mobile cyber espionage is carried out through dedicated spyware, aka Mobile Remote Access Trojans (mRAT). Most mRATs provide, at a minimum, the following capabilities which increasingly motivate attackers to succeed and on the other hand, prove to be damaging to the business:

  • Eavesdropping and surround recording. Examples: listening in real time on customer calls and recordings of board meetings.
  • Extracting call and text logs. Examples: text messages which contain board meetings follow-ups and voice memos.
  • Tracking location. Examples: tracking the location of executives at key accounts meetings.
  • Snooping on corporate emails and application data. Examples: retrieving corporate emails regarding upcoming M&A activity.

Infection of smartphones with mRAT requires the spyware to install a backdoor through the rooting of Android or the jailbreaking of Apple devices. Although device manufacturers place rooting/ jailbreaking detection mechanisms, mobile spyware can easily bypass them. Once the mobile device is infected, the spyware then sends mobile content – such as encrypted emails and messages - to the attacker’s command and control (C&C) servers in plain-text. These attacks undermine the basic notion of a secure container – the principle of MDM solutions.

Ohad Bobrov, CTO and co-founder of Lacoon Mobile Security explains, “MDM solutions create secure containers that separate business and personal data on the mobile. The concept is to prevent business critical data from leaking out to unauthorised individuals. However, our research team demonstrated that mRATs do not need to directly attack the encryption mechanism of the secure container, but can grab it at the point where the user pulls up the data to read it. At that stage - when the content is decrypted for the user - the spyware can take control of the content and send it on. To prove their point, our researchers adapted a similar method used by mRATs in the wild that intercept 3rd-party applications such as WhatsApp. The reason mRATs pose such a danger is that, while the software may be installed on a single device, it can be used to target the whole organization for espionage purposes. To mitigate these and other attacks aimed at the mobile devices utilised within the enterprise, organizations need to accurately assess the risk of mobile activity and actively protect against emerging, targeted, and zero-day attacks.”

While MDMs do offer static compliance and policy enforcement some protection, organizations need to understand that they do not offer complete protection. Spyware attacks rely on exploiting the device’s OS vulnerabilities – not those of the secure container- so it’s imperative to deploy security with defense-in-depth strategy.

Best practices and technologies include:

  • Remotely analyse the risk involved with each device, including behavioural analysis of the downloaded applications;
  • Calculate the risk associated with the device's operating system vulnerabilities and usage;
  • Conduct event analysis to uncover new, emerging and targeted attacks by identifying anomalies in outbound communications to C&C servers;
  • Enable network protection layer to block exploits and drive-by attacks and contain the device from accessing enterprise resources when the risk is high.


•Date: 12th April 2013 •World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here