2016 Security Predictions: #3 – Attackers will target mobile app vulnerabilities
2016 will see a continued rise in the number of attacks targeting mobile devices – something that probably won’t come as much of a surprise to anybody. But the scope of the problem and the potential for damage will. The sheer volume of mobile devices, the amount of malware (20 million apps by the end of 2016, according to Trend Micro), and the inherent vulnerabilities present in even legitimate mobile apps means that a major breach is bound to happen, potentially on a massive scale.
To put it into perspective, Cisco recently released an advisory about a vulnerability in its WebEx for Androids app. This particular flaw leaves the app vulnerable to an exploit that could allow a secondary malicious app to acquire the same permissions as the WebEx application. Typically, an app will ask for permissions, effectively tipping the user to its intent. But by exploiting this vulnerability, the app can gain access without any notification. And with millions of potential targets (as many as 5 million may have downloaded the app), it’s only a matter of time before a vulnerability like this results in a major incident. Fortunately, at this time there are no reports of this particular exploit resulting in a breach.
Additional threats exist in spear phishing attacks that exploit the fact that mobile users are more likely to click on a malicious link simply because it’s harder to identify it as suspicious on a smaller screen. And malware designed to look like valid apps can convince unsuspecting users to enter login data that can then be used to gain access to legitimate sites storing detailed personal and financial data. Mobile device users, particularly Android owners, need to remain diligent in validating what apps they choose to download and the attachments they choose to open.