As we fast approach 2016, my security team and I have been compiling a forecast of mobile security trends and vulnerabilities that concern us most. My goal in outlining these threats is not to raise alarm or panic, but to paint a picture of the gravest security concerns we face in the coming year, and hopefully, encourage the industry at large to prepare for them now.With the proper precautions, most of them can be minimized, or forestalled altogether.
The horrific attacks in Paris, San Bernardino, and other locales around the world ensure that terrorism will overshadow mobile security concerns next year. We will see growing concern over usage of Telegram and Redphone-type communication apps that use end-to-end encryption to avoid eavesdropping. My team has also been tracking the appearance of legitimate-looking apps that criminals are using to communicate with each other for a very temporary time period (sometimes only once).
Looking ahead, we should expect terrorists to leverage major online media services such as YouTube for covert communications by integrating hidden data in videos — for example, special audio frequencies that cannot be heard/understood by humans but are translatable through a special listening program.
2. Hackers Target Mobile Payment Services
Based on back channel murmurs among black hat hackers, it’s more likely than not that leading mobile payment platforms such as Apple Pay or Samsung Pay will be seriously compromised in 2016. This will probably happen not through outright breaking of their payment processing algorithms but via analysis of the entire system to identify bypass measures and vulnerabilities, leading to credit card information fraud, extortion, and unauthorized use. We have already seen how stolen credit card info has been successfully added to ApplePay accounts without bank verification, allowing fraudsters to use stolen card information at brick-and-mortar stores. Soon, a similar technique will likely be used for online transactions.
Apple and Samsung are not the only companies in these crosshairs. Peer-to-peer mobile payment apps such as Venmo that use simple payment remittance processes will become more vulnerable to hackers attempting to transfer funds from users’ accounts to dummy accounts they can then access. (We are monitoring underground activity of this kind, but it’s yet unclear whether any of these attacks have been successful.)
3. The Rise of Mobile Web Browser-Based Hacking
We expect mobile versions of Chrome, Firefox, Safari, and related kernels on Android and iPhone to be hacked frequently in coming months. Hacking via a mobile browser is one of the most efficient ways to compromise the entire phone, because exploiting a browser vulnerability can enable the hacker to bypass its many system-level security measures. The following will give you a sense of how this would work:
Webkit-based exploits allow hackers to bypass a browser’s sandbox, or the security measures built into modern browsers. This would most likely be followed by OS/kernel-level exploits to access the root of the system and gain total control over the device.
An example OS-level exploit is Stagefright, which was a weakness in a library inside the Android OS. Although Google released a patch to address this problem over the summer, Zimperium released a second set of vulnerability discoveries, dubbed Stagefright 2,0, in October. When such an exploit is executed via a web-browser, it becomes extremely reliable.
We expect more such vulnerabilities to surface in the coming months and to be exploited at a broad scale in the coming years.
4. Remote Device Hijacking/Eavesdropping
Thanks to the explosive growth of Android devices, billions of people around the world will soon own a smartphone. Most of these handsets include preloaded applications that are generally not analyzed or validated by Google’s security team, however, exposing them to remote device hijacking. The open, customizable nature of Android smartphones by OEMs will continue and worsen this threat, so we should also expect to see frequent OEM security updates/patches. In fact, I forecast them to at least double next year.
Related to this is the rising threat of man in the middle attacks (or MitM). New smartphone owners are often not aware of or practicing adequate security habits with their device. For instance, they may allow their device to automatically access unsecured AP/WiFi connections that don’t encrypt data communicated through the network. This can lead to insecure apps leaking user credentials, which hackers can “see” when the mobile device transmits data.
Another concern is the ability of a hacker to eavesdrop on conversations or view messages that a user sends or receives. My colleagues Daniel Komaromy and Nico Golde recently demonstrated how a simple MitM hack works against Samsung’s Shannon line of baseband chips. Left uncaught, this vulnerability would have enabled hackers to eavesdrop on calls made from these devices.
Read the full article here