Android Or iOS; Every Device Is Prone To Cyber Attacks

by CXOtoday News Desk    Dec 15, 2015


Even though smartphone makers are offering multiple layers of security, every device is highly vulnerable to cyber attacks, believe researchers. According to security solutions firm Symantec, this year cyber criminals are increasingly targeting Apple devices like iPhones and iPads as these products gain popularity among consumers across the globe, including India. Apple that once remained a relatively safe platform when compared to Android and Windows, is seeing a boom of malware targeting its operating systems since January 2014.

According to Symantec’s findings, besides its Mac OS X and the newer iOS, systems like Apple Pay is making Apple devices a key target of malware. 2016 could see more attacks on the iOS platform, it states.

Apple devices have experienced a surge in popularity in recent years. According to IDC, the company now accounts for 13.5 per cent of global smartphone shipments and 7.5 per cent of global PC shipments. “This increase in usage has not gone unnoticed by attackers. A rising number of threat actors have begun developing specific malware designed to infect devices running Mac OS X or iOS,” Symantec Director Solutions Product Management (Asia Pacific and Japan) Tarun Kaura told PTI.

The myth has always been that Apple devices are insusceptible to malware, however, the reality is that they are just as vulnerable, but hackers choose to find ways to infiltrate Windows and Android devices because of how much more popular they are as a whole. But in the first nine months of this year, the total Apple computers infected by malicious or unwanted applications was seven times higher than all of last year.

FireEye too uncovered that iOS malware that Apple acted swiftly to remove from its app store, Xcode Ghost, had found its way to the networks of 210 US companies, in one of its latest releases.

Another study by Trend Micro, published last month shows without surprise that 95% of Android devices were affected by Stagefright in Q3 of this year. Stagefright, which allows attackers to install malware on affected devices by distributing malicious Multimedia Messaging Service (MMS) messages, reportedly put nine out of 10 at risk. Another critical Mediaserver vulnerability, which could cause devices to endlessly reboot and allow attackers to remotely run arbitrary code, was also found.

In response to the recent spate of Android vulnerability discoveries, Google announced regular security updates for the platform. However, it is yet to be seen as how the platform’s current state of fragmentation will affect this plan. Security patches may not be able make their way to all devices without the support of manufacturers and carriers, rendering them vulnerable to exploitation.

“Cyberspace has become more punitive. These were not isolated cases. As a result, enterprises must adjust their incident response plans to manage the advent of secondary stages of attack—whether those be secondary infections or the use of stolen data to target or extort their user communities. Intrusion suppression will become the goal of incident response as it is imperative that the dwell time of an adversary be limited,” says Tom Kellermann, Symantec’s Chief Cybersecurity Officer.

“Apple’s increasing phone market share is tempting attackers to exert more effort to exploit iOS apps. Apple’s strict security policies on posting iOS apps are, however, pushing them to come up with cleverer tricks like infection via development tools and libraries to get the job done. We’re bound to see more “Ghost-like” threats in the future. Attackers may also opt to abuse certificates and application programming interfaces (APIs) to distribute iOS malware. In response, Apple needs to constantly tighten its app-posting policies,” said Ju Zhu, Mobile Threat Researcher.

“These changes introduce bigger attack surfaces into the more traditionally hard to secure environments,” Kaura said. Citing a Gartner report, Kaura said close to 30 billion “connected” things will be in use across a wide range of industries and the IoT will touch every role across the enterprise by 2020. “As consumers buy more smartwatches, activity trackers, holographic headsets, and other Internet of Things (IoT) devices, the need for improved security on these devices will become more pressing.

“As market leaders emerge and certain ecosystems grow, the attacks against these devices will undoubtedly escalate. Also, with these changes happening so rapidly, regulation may be forced to catch up with technology in 2016. 

“We have already seen attacks on infrastructure and in 2016 we can expect this to continue to increase. Motivations for critical infrastructure attacks are both political and criminal, with nations and political organisations operating cyber-warfare campaigns, and criminals attacking for profit or ransom,” Kaura says.

These research reports show that cybercriminals have gone from targeted attacks to traditional mass infection techniques such as spam, botnets, and exploit kits. While bigger and better-secured organizations may experience breaches of their own if ever attackers successfully manage to leech off data from their smaller, less-secure partners, consumers may also find their personal information at risk if companies continue to get breached due to this lateral progression of attacks.