Mobile security advances to stopping device exploits — not just detecting malicious apps

By Byron V. Acohido

The most profound threat to corporate networks isn’t the latest, greatest malware. It’s carbon-based life forms.

Humans tend to be gullible and impatient. With our affiliations and preferences put in play by search engines and social media, we’re perfect patsies for social engineering. And because we are slaves to convenience, we have a propensity for taking shortcuts when it comes to designing, configuring and using digital systems.

Related article: Is your mobile device spying on you?

This hasn’t worked terribly well for defending modern business networks from cyberattacks. And now we are on the verge of making matters dramatically worse as smartphones and IoT  devices proliferate.

I recently had a chance to discuss this state of affairs with J.T. Keating, vice president of product strategy at Zimperium, a Dallas-based supplier of mobile device security systems. Launched in 2010 by a Samsung consultant who saw the handwriting on the wall, Zimperium has grown to 140 employees and attracted $60 million in venture capital from Warburg Pincus, SoftBank, Samsung, Telstra and Sierra Ventures.

The company is seeking to frame and address mobile security much differently than the traditional approach to endpoint security. “When you have billions of mobile devices that aren’t well protected, and the users are primarily responsible for controlling them, it makes for very ripe targeting,” Keating told me.

For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and length.

LW: What’s most worrisome about mobile security?

Keating: If you’re a consumer, you should really care about malicious apps. The vast majority of the mobile malware we see is designed for fraud. A perfect example of one going around right now is called Bankbot. A user will install an apparently benign utility, like a level or a light, and it is actually software that gets installed, then uses a phishing attack to get the user to elevate privileges … and users click yes, yes, yes.

LW: We’ve become accustomed to behavior of automatically giving up privileges, which plays to the attackers advantage.

Keating: Exactly. Land and expand– it’s a time tested tradition. Another is persistence. If a bad guy is going to take the  time to compromise your device, he’ll want to own your device after you reboot. That’s an elevation of privilege. That’s their ultimate goal.

LW: How are businesses being targeted?


Keating: If I’m targeting XYZ Bank, I’m not going to put an app in the App Store and pray that somebody downloads it. I’m going to sit in a coffee shop across from the bank and scan network traffic until I find somebody from the bank, then do a man in the middle attack. Based on looking at their mobile device, I will figure out how they’re vulnerable and I will deliver an exploit to actually compromise that device, much the same way a traditional Remote Access Trojan attack would have been carried out against a traditional endpoint.

LW: So a little more coordination to target a bank employee’s smart phone.

Keating: Exactly. It becomes a total kill chain. It starts with a network attack. Based on scanning,  I know you’re with XYZ bank. I deliver the exploit for your specific device to compromise it and weaponize it. Now I can use that device to send phishing into the traditional corporate network. I can now send you an e-mail from my phone that can deliver WannaCry to your Windows PC.

LW: And then probing the targeted company’s network?

Keating:  Exactly. Last fall, the Russians actually took a rogue access point  —  called a pineapple, a  faked Wi-Fi network – and they bolted it on to a drone and then they flew that drone around a NATO base and pulled in 4,000 soldiers phones. Microphones were turned on. They knew what the troop movements were going to be. They got caught when they started sending faked orders.

LW: How has the corporate world progressed in dealing with mobile threats?

Keating: Originally people basically said  IoS was bulletproof because Apple did such a great job of vetting apps in the app store. The first generation of solutions addressed apps at the app stores, as well. It  was easy to take a signature-based, deterministic approach to apps.

But malicious apps, from a corporate standpoint, represented only one threat. So now solutions are starting with the device side and saying, ‘OK now how do I prevent any device exploits; how do I detect any device exploits?’ It starts with detecting network attacks that might be used to deliver targeted exploits, and then  going all the way back to the apps.

LW: So that’s much different than the traditional approach to endpoint security?

Keating. Yes. In the world that you and I came from, the traditional endpoint apps had so much more ability to play with other apps, that attackers didn’t have to necessarily go to the extent of compromising the desktop or laptop. We’ve had to pivot the mindset to ‘How do we have protection that runs on the device that can’t be undercut by a network attack?’ Device exploits must be detected first and foremost, and then we can start dealing with these other things that are more the means to the end,  than the end themselves.

LW: So what’s a basic approach to making that pivot?

Keating: Fundamentally the very first thing that we do with our customers is turn on the lights. We help them determine which systems are vulnerable and what attacks they might be vulnerable to. The first thing is always turn on the lights. Give yourself a risk profile. What apps do I have in my environment? Which apps are risky? Which apps have access to my contacts or to my microphone?

Today there’s a huge variety of these super computers sitting in your pocket, accessing corporate resources. And companies have zero visibility about what’s taking place.

LW: Generally where does the business sector stand on the implementation curve?

Keating: It’s pretty early. What’s interesting is that 100 percent of our customers, once they turn the lights on and detect mobile threats, choose to go the next step. From an operation systems standpoint, close to 80 percent of Android and 30 percent of Apple devices are out of date, which means they’re exposed to vulnerabilities that are already well-known to the hacker community.

LW: Once again, the bad guys are ahead of the curve, when comes to mobile, and in position to take advantage?

Keating: Exactly. They are taking advantage of the fact there’s no instrumentation; there’s no visibility on these devices. The other thing I’m starting to see is compliance is now catching up. So whether it’s HIPAA or the GDPR directive in Europe, they’re all starting to catch on to the fact that mobile is part of my ecosystem. And  It has to be secured as such.

LW: Where are we heading for, say, five years from now?

Keating: Threats are definitely going to continue to increase because it is a relatively unprotected platform and because users are the ones making the security decisions. I personally think that there’s a good possibility either Apple or Google, or both, might start trying to figure out a better way to actually have the equivalent of patch management.

Today there is no ability to push patches out, which is why so many phones are vulnerable. I’m not sure that that’s a great long term strategy. The only approach that scales for both mobile —  and, in is turn,  IoT — has to be on-device detection. And I think there has to be a little bit better way of dealing with the shoring up and tightening the risk associated with unpatched systems.

(Editor’s note: Last Watchdog has provided consulting services to Zimperium.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone