Posted on September 29, 2020 at 1:45 PM
Mobile security threats have risen a great deal as a result of the increased use of mobile devices. Business organizations, institutions, and individuals need to be more upfront and active in the defense of their security systems or risk losing their critical info to various forms of threat actors.
And with almost all workers gaining access to their company’s corporate data via smartphones, the work of security exports has even become more intricate. Everyone knows that the cost of a single data breach can be quite alarming, so there is a need to prevent such data breach.
It is important to know the different types of mobile security threats to understand how best to deal with them. These threats include physical threats, network-based threats, web-based threats, and even application-based threats. Our focus here is to enlighten you on the top mobile security threats you need to deal with before they become a major security problem. Here are the top 10 in 2020.
1. Malicious apps
There is no doubt that malicious apps constitute a bulk of the mobile security threats employees can bring to the organization. When your employee visits the App Store or Google Play Store to download apps that feel genuine, most time the apps request certain permissions before users can download them.
Many people do not take a detailed look at the permissions and allows the apps to access some of their critical information. Once the permission is granted to the malicious apps, they can steal information and plant their malicious algorithms in the mobile device, thereby giving them further access.
This is where the malware can creep into their mobile devices and later find its way to the corporate servers when the employee uses the same malware-infested app to access the servers.
Most people just glance over the list of permissions and agree without reviewing them in great detail. This lack of scrutiny leaves devices and enterprises vulnerable to mobile threats.
2. Out-of-date devices
This is another security threat that users and organizations need to protect themselves against. Tablets, smartphones, and other mobile devices that are connected over the internet may be a tool for hackers if they are out of data.
They are commonly reoffered as the Internet of Things (IoT). Unlike traditional work devices, these do not have any sort of security guarantees or any ongoing security update. As a result, they can stay vulnerable when connected online.
This is particularly more pronounced for android devices, where many of the manufacturers are not effective when it comes to keeping their devices up to date. As a result, it leaves security loopholes for threat actors to explore and plant malware in the devices.
Most of the devices do not have monthly security updates or operating system updates. The worst part is the fact that many of the IoT devices are not even designed to have security updates. Since there is no built-in patching mechanism, it leaves the devices vulnerable to any threat actor.
The problem is, no one is certain which device has a strong security protocol or which one is regularly updated. So, the more IoT devices used to access the internet, the greater the risk of a malicious infection on the devices.
3. Improper Session Handling
A lot of apps utilize “tokens” to facilitate ease-of-access for mobile device transactions. They do this to enable users to carry out multiple transactions without asking users to enter their details at each transaction. Tokens are usually generated by the app for identifying and validating devices, just like passwords for users.
However, some apps may unintentionally share session token, which is termed improper session handling. They may share these tokens with malicious apps, which allow malicious actors to impersonate genuine users.
Most times, it’s caused by a session that stays on even after the user has moved on from the website or app. Most users who log into apps or sites and fail to log out can leave the door open for threat actors to use the open site to explore other connected parts of the employer’s network.
This is why users need to be very vigilant when connecting to a site or network. They need to log out immediately to prevent any intrusions that may pose a security threat to their devices and their employers as well.
4. Poor password hygiene
Security researchers may have stressed enough about using poor passwords to protect their accounts, but it seems many users are still guilty of this act. As it stands, many users are still failing to protect their accounts with strong passwords, which has made it easier for threat actors to crack the easy passwords and infiltrate their devices and get to their employers’ servers.
Since these users are moving around with phones that contain both personal sign-ins and company accounts, it leaves the door wide open for threat actors.
Another problem is the reuse of passwords, which many mobile phone users are guilty of this. A recent survey by Harris Poll and Google showed that more than 50% of Americans maintain one password across multiple accounts. This makes it easier for an attacker because once one account is compromised others are likely going to be compromised as well.
The report revealed that only a quarter of mobile device users are actively making use of password manager, which shows that majority of users do not have strong passwords for their device security.
And if the analysis by LastPass is anything we can depend on, it means there is even more reason to worry about the lack of good password protection by employees who use mobile devices to access the internet.
The analysis showed that about 50% of professionals use the same passwords for both their personal and work accounts. And with an average employee sharing 6 passwords across all accounts, it leaves security threats from poor password hygiene a precarious situation.
5. Third-Party Exposure
There have been several breaches as a result of the company’s or organizations’ alignment with third parties.
Several retailers utilize third-parties for services like payment processing. As a result, they don’t think liability for third-party breach applies to them. But even if they use third-parties, it doesn’t exonerate them when there is a data breach.
Even when the retailer does not deal with the personal information of users directly, a third party could cause a serious cybersecurity threat
Hackers are notorious for stealing data via third-party vendors, like the 2013 Target malware attack. That’s because most times, the security protocol provided by third parties is neglected by the contracting company, thinking any data breach is not the company’s concern.
But the fact is, data breaches as a result of poor security management from third parties will be blamed on the third party and the contracting company.
The penalties and fines can be huge, ranging from thousands of dollars to millions, depending on the level of breach.
6. Mobile ad fraud
There is no doubt that there is huge revenue potential from mobile advertisements. According to the Interactive Advertising Bureau (IAB), mobile advertising alone generated about $57 billion last year.
With this massive revenue, hackers are enticed to take their share out of the lump sum. Since hackers go wherever the money goes, mobile ad fraud has been on the increase.
Ad fraud costs organizations more than $100 billion every year, according to the Juniper Research Project.
Although hackers perpetrate ad fraud using different methods, the most common has been to generate clicks on ads using malware. The clicks will seem genuine from a legitimate service, but it has been threaded with malware.
Sometimes, the malware may contain information about messaging or weather forecast, asking the user to download to enjoy the app. But in the real sense, the app has been wired with malware, which generates fraudulent clicks, stealing some advertising funds from ad-supported publishers and mobile advertisers.
Mobile ad fraudsters use Android most times to perpetrate their act. Android mobile malicious apps are many, and users need to avoid them.
7. Data leakage
Data leakage has been widely regarded as one of the biggest threats to companies’ security. One of the reasons why this is the case is the likelihood of a company experiencing data leakage because of an employee who has access to the data.
Sometimes, the employee can connive with the hacker to get a share of the loot after the victim has paid. In other situations, data leakage could come from former employees who are angry about how they were ousted from the company.
From Ponemon’s latest research, companies have a 28% chance of experiencing data leakage once every two years.
But some data leakage occurs as a result of overt user error. It can come from sending an email to an unintended recipient, pasting confidential information on the wrong place, or transferring company files to a cloud storage device.
These are some instances a company’s data can be leaked. These mistakes happen often, and one in four mistakes can result in a data leak. That’s why an employee needs to be careful about the transfer of company files to avoid such mistakes.
8. Social engineering
Social engineering has still remained a menace to data security experts and companies even though there has been enough awareness and information to avoid it. The trickery is just as troubling on desktops as it is on mobile fronts.
According to a 2018 report by cyber security firm FireEye, 91% of cybercrimes begin with email. Social engineering attacks do not utilize any sophisticated attack or the use of malware, which is still bewildering while such attacks still happen today.
The threat actors depend largely on impersonation tactics to deceive their victims into providing sensitive information or clicking dangerous links. And mobile users stand a high risk of falling to this type of trick because of how the sender’s name is displayed on mobile devices. The threat actors usually find it easier to deceive targets who access their mail through their mobile devices.
Most social engineering attacks are successful on phones than desktop computers because most people access their phones easily when going through their mails compared to their systems.
Once the user responds to the message and opens the links, they can open the backdoor for the hacker to launch more serious attacks.
9. Network Spoofing
This is gradually becoming a major source of mobile security threats for organizations. In the case of network spoofing, hackers can set up a fake access point that resembles Wi-Fi networks to deceive users.
These types of networks can be set up around high-traffic public locations like airports, libraries, and coffee shops.
The access points are given common names such as “Coffeehouse” or “free airport Wi-Fi” to deceive those who may fall victim to connect to the network.
In some instances, the attackers allow users free access to the network after they have created accounts with passwords. This is where the retrieve these usernames and passwords to try and compromise the users’ email address since many of the users apply the same passwords to all their accounts.
That is why users should not provide personal information when connecting to Wi-Fi or other outside networks. Even when you want to create a login, use a unique password that is not related to any of your online accounts. This way, you will not give the hackers a helping hand to infiltrate your accounts.
10. Cryptojacking attacks
This is relatively new in the world of mobile cybersecurity threats. This occurs when an attacker mines cryptocurrency with another device without the knowledge of the owner. The cryptocurrency mining process consumes hardware and technology. If someone else uses your mobile device frequently to mine cryptocurrency, the device is likely to malfunction or start having low battery life pretty soon.
Although cryptojacking started with desktop computers, the perpetrators have taken their game a step further to hijack mobile phones as well. Incidences of cryptohijacking on mobile phones started appearing in 2017 and skyrocketed in 2018. Since then, the ban on crypto mining apps has reduced the rate of mobile cryptohijacking, although there is still some level of success in recent times.