With the pandemic scrambling workforces, reliance on mobile devices for routine work has increased. This is creating some cybersecurity concerns and statistics illustrating the hold that mobile devices have on workplaces are startling. For example, in the United Kingdom, 60 percent of all workers report using their personal smartphones for work-related activities. Numbers are similar in the United States where a Gartner study that says 55 percent of workers use personal devices. MSPs are increasingly being asked to monitor devices that were once firmly in the domain of personal space. But are work-related cybersecurity dangers, such as mobile malware, a real concern?
Smarter MSP caught up with Dr. Gene Tsudik, distinguished professor of computer science at University of California-Irvine, to talk about some of the common cybersecurity concerns associated with mobile malware. He says the dangers to the office posed by personal devices are real.
“A hack endangers one’s phone and everything on it (as well as everything the phone does or is used for),” says Tsudik. He also points out that many organizations (like UCI) ask users to install security-critical apps (such as 2nd-factor authentication and VPN access) on their “personal” smartphones.
“So, malware that gets into the phone can mess with these apps and steal workplace credentials,” Tsudik adds, telling SmarterMSP that these can include passwords and PINS. Once hackers have these credentials they can easily move into a workplace network and wreak havoc.
Combatting mobile malware is tricky
“One clean way to stop mobile malware is to neatly separate personal devices from workplace ones,” Tsudik advises. In some organizations an employee is given a “business” smartphone where the company’s IT department controls installed apps, settings, patches, updates, etc.,” Tsudik says. He adds that this is common at federal government agencies and some private-sector businesses.
“There are clear benefits here, but the big nasty problem is that if the IT department is hacked, all company employees’ phones are toast. So, no silver bullet,” Tsudik states. But policing peoples’ private devices brings its own set of problems.
“The IT department can install some very invasive software/apps on the employees’ own/private phones, but that brings up all kinds of unpleasant privacy issues,” Tsudik advises. He worries that when it comes to mobile malware, we may only be getting a glimpse of what is to come.
“I am scared of the kinds of malware we haven’t seen yet on smartphones: one akin to the Mirai botnet of a few years ago,” Tsudik admits, describing a scenario where stealthy malware infects millions of Android phones and goes to sleep.
“It remains dormant until a stealthy command from the control center that makes ALL infected devices wake up and start doing nasty stuff,” Tsudik warns. Such “stuff” could include actions like mounting a global distributed denial-of-service (DDoS) attack on some cell network or on an Internet entity like a bank or a utility.
Already, we are seeing an increase in mobile malware in 2021. Just this past week, Grifthorse infected 10 million Android devices. Here is how moneycontrol describes Grifthorse:
GriftHorse bombards users with pop-ups claiming that they have won a prize. These are extremely high-frequency notifications, showing pop-ups five to six times per hour. Once a user clicks on it, they are taken to a page that tells them to enter their phone number for verification.
In reality, the page signs them up for a premium SMS service that would charge them 30 euros per month. This charge is added to the phone bill.
Some of the affected phones were corporate-owned devices, so some businesses were duped out of 30 Euros a month for a time if they didn’t catch on to the malware. Within the past few weeks a strain of mobile malware has targeted phones in New Zealand. But, as Tsudik points out, this could be just the beginning, as the pandemic has simply accelerated the trend:
“The pandemic greatly exacerbated our reliance on (and addiction to) smartphones. This has resulted in more crafty malware, more ransomware, more cryptocurrency stealing, and so on,” Tsudik says.
With the proliferation of personal devices in the workplace, MSPs have an opportunity to offer another service, but the plans for doing so must be well-thought out.
“MSPs need to have strict protocols in place when dealing with personal devices. Updating patching and implementing VPNs and coordinating with workplaces need to be done with utmost care,” advises Liz Andrews, a cybersecurity consultant in Baltimore.
“You don’t want the MSP being in a position of having to sift through a person’s family photos on their phone or be able to see what websites are being viewed. It’s a tricky balance,” Andrews warns.
But, according to experts like Tsudik, it’s a balance that will increasingly need to be struck, as malware incidents increase on personal devices.
Photo: iHaMoo / Shutterstock
