Cybercrime increasingly went mobile in 2019, with everything from Apple iPhone jailbreaks and rogue Android apps to 5G and mobile-first phishing dominating the news coverage. Here are Threatpost’s Top 10 mobile security stories of 2019.
Top Mobile Security Stories of 2019
Cybercriminals are increasingly and successfully targeting mobile users, as our look back on the Top 10 2019 mobile security stories show. For enterprises that are embracing an ever-more-mobile workforce, escalating mobile attack vectors significantly widen the threat landscape, and are forcing companies to rethink what their security requirements need to be. For consumers, greater awareness is their only hope to protect their personal data.
Apple Takes Bug Bounty Public
In December, Apple officially opened its historically private bug-bounty program to the public, while boosting its top payout to $1 million (for a zero-click remote chain with full kernel execution and persistence on Apple’s latest shipping hardware). The payouts are a huge step up from the private program’s paltry $200,000 top reward – but the tech giant is looking for full working exploits with any vulnerability submission. Other payouts range from $25,000 to $500,000 across a range of products, including Macs, iPhone and iPad, and Apple TV.
Apple Bugs Proliferate
Speaking of Apple bugs, iOS vulnerabilities turned up throughout 2019, including the “AirDoS” bug that allows nearby hackers to render iPhones and iPads inoperable, via the file-swapping feature AirDrop. In June, an iMessage bug came to light that bricks iPhones running older versions of the company’s iOS software; and five other iMessage bugs were found that required no user interaction to exploit, including one that would allow remote attackers to access content stored on iOS devices. Also, a total of 14 iPhone vulnerabilities – including two that were zero-days when disclosed in February – were found to be targeted by five exploit chains in a watering hole attack that lasted years.
WhatsApp Faces Down the NSO Group
In May, WhatsApp is warned users about a zero-day vulnerability found in its messaging platform was exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns. Later in the year, WhatsApp owner Facebook sued the Israeli company NSO Group, alleging that it developed the surveillance code itself and used vulnerable WhatsApp servers to send malware to approximately 1,400 mobile devices, targeting human rights defenders, journalists and other members of civil society worldwide. NSO’s president later took indirect aim at WhatsApp over the issue in a conference session.
StrandHogg Impersonates Android Apps
This fall, researchers found a new Android vulnerability called StrandHogg that could allow malware to pose as popular apps and ask for various permissions – enabling hackers to listen in on users, take photos, read and send SMS messages, and basically take over various functions as if they are the device’s owner. The wrinkle is that the activity overlays and masquerades as a mobile app, such as Facebook, that a person would use regularly. The flaw affects all Android devices, including those running Android 10, and puts the top 500 most popular apps at risk.
The Checkra1n Jailbreak
A BootROM vulnerability for iPhone dubbed “checkm8” was disclosed this year – an un-patchable bug affecting hundreds of millions of iPhones that gives attackers system-level access to handsets via an unblockable jailbreak hack. An exploit soon emerged, called checkra1n, which would allow users to bypass DRM restrictions to run unauthorized and custom software. Checkra1n also makes users susceptible to rogue or unstable apps downloaded from outside of Apple’s curated App Store. Meanwhile, a fake website purporting to enable iPhone users to download checkra1n (but ultimately downloading a gaming app bent on click fraud) made the rounds.
Mobile Phishing Kits Emerge
April saw a new wrinkle in the mobile landscape: Mobile-first phishing. A kit that specifically targets Verizon Wireless customers in the U.S. pushes phishing links to users via email, masquerading as messages from Verizon Customer Support. These are tailored to mobile viewing: When the malicious URL is opened on a desktop, it looks sloppy and obviously not legitimate – however, when opened on a mobile device, it looks like what you would expect from a Verizon customer support application.
Spotlight on 5G
This year for the first time, security for 5G networks became a top conversation topic. The next-gen mobile technology promises ultra-low-latency and exponentially faster throughput to pave the way for new enterprise use cases and applications, including remote telesurgery, self-driving cars, electricity on-demand and more. However, in these scenarios, a cyberattack can literally be a matter of life or death. With many of the security protocols and algorithms for 5G are being ported from the previous 4G standard, researchers have already found 5G flaws allowing device fingerprinting and man-in-the-middle (MiTM) offensives.
Earlier this year, Twitter and Facebook warned of software development kits (SDKs) that could be embedded within a mobile application and used to scrape profile information, such as email addresses, usernames, gender, last tweets and so on. The SDKs, which the tech giants said are maintained by oneAudience and MobiBurn, violate both companies’ data privacy policies, which prohibit allowing third parties to harvest profile information for data monetization purposes. That was a change implemented in the wake of the Cambridge Analytica scandal, and the issue continued the debate around social media privacy.
Retina X Stalkerware
In its first crackdown on “stalkerware,” the FTC has banned the sale of three apps – marketed to monitor children and employees – that can be installed on devices to track their owners’ location, activity and more. The apps come from a company called Retina-X Studios, and the FTC said that since the apps were designed to run surreptitiously in the background, they’re are uniquely suited to illegal and dangerous uses, especially in domestic violence situations. Meanwhile in November, the Coalition Against Stalkerware formed to help victims of stalkerware, instances of which have increased more than 300 percent in 2019.
While fingerprint sensors and FaceID are touted as providing the best available mobile security, 2019 saw a few bypasses of the technology. The Samsung Galaxy S10 fingerprint sensor for instance was shown to be fooled in a hack involving a 3D printed fingerprint cloned from a wineglass. And Samsung admitted later in the year that anyone can bypass the Galaxy S10 fingerprint sensor if a third-party silicon case is enclosing the phone. In October, Google came under fire for its Pixel 4 facial recognition unlock feature, which users said would unlock for users even if their eyes were closed. And in August, researchers revealed a bypass for Apple’s FaceID.