Security of mobile phones and applications: five popular attack scenarios and methods of protection

Modern mobile devices are multifunctional and complex, which makes them vulnerable to cyberattacks. Attackers have a number of ways into your phone—from Wi-Fi and Bluetooth to the speaker and microphone.

Positive Technologies analysts have published a research on the most common scenarios of attacks against mobile devices and applications. For more details, download the research, or read on to get a short overview.

Attacks on mobile devices and applications

There are five main scenarios of such attacks:

  • Physical access. Your device may have been lost or stolen, taken to a service center for repairs, or connected to a charger via USB. In all such cases, it is at risk of being attacked.
  • Malicious application. Sometimes malware can come even from official app stores, such as Google Play and Apple’s App Store.
  • Communication channel attack. Connecting to an untrusted Wi-Fi network, proxy server, or VPN creates the risk of attacks in the communication channel.
  • Remote attacks. Attackers can act remotely, using mobile applications servers or other exploit delivery services.
  • Server-side attacks. Server-side attacks are special in that attackers do not need access to the device at all.

Let us discuss each attack scenario and possible protection methods.

Physical access attacks

There are several common scenarios of physical access attacks. In most cases, the attacker has direct access to your phone, which happens if the device was lost, stolen, or taken to a service center. In a less common scenario, attackers can use a malicious charging station to perform the attack. Let us talk about this attack scheme in more detail.

The charging station to which you connect your smartphone via USB may turn out less safe than it appears. Modern OS versions on both Android and iOS require user consent when connecting a smartphone to a PC via USB. However, older smartphones with Android 4.0 or earlier do not require such consent. If such devices connect to charging stations that have been compromised or installed by hackers, they become vulnerable to attack. Such attack may look as follows:

  • A user has a smartphone with Android 4.0 or earlier with enabled USB debugging.
  • The user connects to the charging station via a USB cable.
  • A malicious charging station executes the “adb install malware.apk” command to install a malicious app on the user’s device.
  • The station then executes the “adb am start” command to launch the app.
  • When launched, the Trojan tries various privilege escalation techniques, obtains root rights, and gains persistence. Now it has access to all stored data, including authentication data for all applications on the phone (usernames, passwords, and tokens) and unlimited access to any running application.

How to protect yourself

Above all, never leave your phone or tablet unattended in public places. Set a password to unlock the device or enable biometric protection, if possible. Do not jailbreak or root your device. Disable lock screen notifications.

Malware attacks

Malware can come from various sources:

  • Official app stores such as Google Play and the App Store. In rare cases, malware-laden applications can come from official stores, causing damage to users and stealing their personal data. To drive more user downloads, such applications often have clickbait names, such as Super Battery, Turbo Browser, or Virus Cleaner 2019.
  • Non-official websites and third-party app stores. To get malware on an Android phone, it is enough to enable installation from untrusted sources and then download an application’s APK file from a rogue website. For iOS, all that is needed is to follow a link in Safari and confirm certificate installation, after which any application in a non-official store will be available for installation directly from the browser.
  • Users can install applications downloaded from the Internet over USB.
  • Android’s Google Play Instant technology allows downloading parts of an app by following a link.

Depending on permissions, malware may be able to access certain stored data, microphone, camera, geolocation information, contacts, and other data. Bad apps can also interact with other applications on the device via inter-process communication (IPC/XPC). If apps have vulnerabilities that can be exploited via such interaction, a malicious application may take advantage, especially on Android devices.

What is more, malware can try to escalate privileges by exploiting vulnerabilities to root or jailbreak the phone.

How to protect yourself

Above all, avoid downloading apps from untrusted sources. Beware when installing applications with suspicious names even from official app stores, since the checks such stores perform cannot be perfect. Keep your OS and applications up to date to protect yourself from attacks targeting known vulnerabilities.

Communication channel attacks

In order to be able to attack from the network, attackers need to perform a man-in-the-middle attack, which makes all traffic between a mobile client and the server pass through the attacker’s device. Applications sometimes have vulnerabilities that allow such attacks.

For example, when establishing a secure connection, mobile applications normally verify the authenticity of the server certificate and check whether its parameters correspond to those of the server. But sometimes developers disable this for convenience during testing and forget to enable it in the release version. The application then accepts any certificate, including the attacker’s.

Even if the app correctly verifies certificates, attackers could still convince the victim to install a malicious certificate and trust it. Sometimes, an application can connect securely to the server but contains links to third-party resources loaded via HTTP. This allows attackers to conduct phishing attacks.

If attackers obtain control of client–server traffic, they can do the following:

  • Spoof server responses: for example, tamper with bank transactions or conduct a phishing attack.
  • Spoof client requests: for example, change transaction amounts or the recipient’s account number.
  • Intercept data, including usernames, passwords, one-time passwords, card information, and transaction history.

Attackers can use passwords and usernames from various victim’s accounts to steal data and funds.

How to protect yourself

Never connect to suspicious Wi-Fi networks. Avoid using proxy servers and VPNs that you do not trust with your personal and bank information. Do not install third-party certificates on your device.

Most popular chat and social network apps are well protected from such attacks. So if an application suddenly stops working on your current Wi-Fi connection, this may indicate that this network is unsafe and you should disconnect in order not to put other apps (such as your banking app) at risk.

Remote attacks

Some mobile application vulnerabilities can be exploited remotely, meaning that attackers do not even need to control traffic between the app and the server. For example, many applications can handle special links, such as myapp://. Such links, called deeplinks, are present on both Android and iOS. Following a deeplink in a browser, mail, or chat app may open the app for handling such links. The entire link, including its parameters, is passed to that app. If the app contains any vulnerabilities, attackers can exploit them by tricking the victim into following a malicious link.

Mobile devices may handle more usual links, such as http:// and https://, in a similar way: they can be passed to an application instead of browser, sometimes even without user confirmation.

Google Play Instant allows launching instant apps by simply following a link. A malicious application may use this to sneak onto a user’s device and allow attackers to remotely exploit vulnerabilities on the phone.

How to protect yourself

Timely installation of OS and app updates is the only way to protect yourself. If you cannot install the update or it has not been released yet, you can temporarily stop using the vulnerable application by removing it from your device or by simply logging out.

Server-side attacks

To attack a mobile application server, hackers normally have to find out how a client application interacts with the server. With information about the entry points, hackers can try to modify requests in order to find and exploit vulnerabilities.

Mobile applications server sides are often no different from web applications. In most cases, they are even less complicated (usally a JSON API or XML API) and, unlike websites, rarely work with HTML and JavaScript.

The most common vulnerability in mobile applications servers is insufficient brute-force protection (58% of servers versus 24% of web applications affected) and business logic errors (33% of servers compared to only 2% of web apps).

Our research has shown that users can access other users’ personal data in an application, including payment card information, names, phone numbers, and more. Authentication and authorization flaws allow attackers to access such data as a registered user or even without any credentials at all. 

How to protect yourself

In case of a server-side attack, ordinary users can do little to protect themselves. However, risk can be minimized by using strong passwords and enabling two-factor authentication with one-time passwords for all critical applications where possible.

To reduce the odds of a successful attack against a mobile application, developers must carefully check feasibility of each of these attack scenarios. Various attacker models must be taken into account during development, and at least some protection measures must be implemented at the pre-development (design) stage.

Developers should ensure implementation of Secure Software Development Lifecycle (SSDL) and regular analysis of the security of their applications. Not only will such measures help to detect potential threats, but they will also train developers to be better at security and thus strengthen the overall level of application protection in a long-term perspective.

Author: Nikolay Anisenya, Positive Technologies

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.