Discussing Cybersecurity and Apple Infosec Research With Niels Hofmans of 'ironPeak'
Last updated October 27, 2020
Zimperium is one of the leaders in the field of mobile security and threat defense solutions, creator of AI-based security solutions and advanced application analysis platforms. Recently, they joined ESET, Lookout, and Google in the "App Defense Alliance," formed to put an end to Android malware on the Play Store.
We did an interview with JT Keating, the Senior Vice President of Product Strategy at Zimperium, discussing the trends in mobile threats, the new risks that arose from the COVID situation, and what casual users and professionals alike can do to protect themselves effectively while "on the go."
Being a mobile security expert, what kind of threats trends can you identify as we’re heading towards the end of 2020 and into 2021?
We continue to see increases in mobile phishing and mobile malware attacks since the beginning of the year. Many of these attacks are tied to COVID. As a matter of fact, it was reported that in just one week, there were more than 18 million COVID-related malware attacks. Unfortunately, we don’t see an end in sight with these attacks or with attacks specifically launched against Chromebooks.
The pandemic has brought working from home and learning from home to the forefront. With that, students are using Chromebooks more than ever, and attackers target them because Chromebooks are not protected to the same level as desktops or laptops and are more susceptible to network, malware, phishing, and device attacks.
The Coronavirus pandemic has pushed people to work from home, so many of them use their mobile devices for work stuff too. How risky is this as a practice, and where does the danger stem from?
It’s very risky. If you are working from any endpoint, you are exposed. Mobile endpoints are even more exposed because they have no protection on them. BYOD is even more exposed because the users are the ones that are truly the admins for everything. The danger comes from the major attack factors - fake Wi-Fi networks, malicious apps, device exploits, and phishing attacks - all designed to compromise your mobile device and gain access to all of your information and data on your phone.
If companies or organizations have implemented a zero-trust approach where the mobile device is part of two-factor authentication (2FA), the organization is even more exposed. In 2FA, your network assumes the person responding on the mobile device is the legitimate user/owner of the device. But if a hacker has compromised the device, he is the one that views the authentication to your network and now can walk right into it undetected.
Your mobile security solution, zIPS, claims to deploy advanced machine learning-based detection. Is your AI in a position to catch all potential threats lurking out there at the moment?
No legitimate vendor should ever say that their technology catches all threats. If one does, quite simply, they are lying. That said, our machine learning-based engine, z9, has been proven to detect more device, network, phishing, and app attacks than any other solution. Most importantly, in the mobile world where hackers often control the network with a rogue access point (RAP) or man-in-the-middle (MITM), z9 is the only major solution that does its detection on-device. Since other solutions’ ML/AI is done in the cloud, attackers bypass the protection by simply disabling access to the cloud.
Ensuring ultimate security levels on the mobile space is a “cat and mouse” game between researchers and hackers who deploy workarounds and new tricks. How do you manage to keep up with everything that goes on in the wild?
The answer is really two-fold. The first is we have - in my estimation and that of leading analysts and security teams from the most sophisticated companies and governments around the world - the world's best mobile-only research team. The second part is, we arm them with billions of data points from tens of millions of endpoints - our customers from around the world - that provide information every single day. So the best mobile researchers in the world are armed with some of the best data on attacks.
What is the most common threat out there that zIPS deals with the most, and what would the consequences be for the users if they weren’t using a mobile security solution?
There is common - and there is dangerous. The most common is mobile phishing at this point in time. The most dangerous is a full device compromise, which is the end game of any attacker in order to maintain persistence.
The consequences of phishing is a loss of credentials right off the bat or an eventual complete compromise of your device. In the case of a device compromise - whether it comes from phishing or any other attack vector - the hacker has more control over the device than you do and has complete visibility into any data (even encrypted information) on or being accessed by the device.
Back in November, Zimperium joined forces with ESET, Lookout, and Google to form the “App Defense Alliance.” Considering that a year has passed since then, where does the project stand in terms of reaching its main goal, which was to wipe malware from the Play Store.
While we are not privy to exact Google statistics, we can tell you the Alliance has detected numerous examples of apps that were attempting to deploy into the Play Store. While the Alliance is working well, it is critical to note that the real risk of malware in the Android ecosystem comes from third-party app stores, not from the Play Store.
We see many Android apps retrieving malicious payloads via updates after they passed their Play Store entrance review. Is there really a way to stop this, and has the “Alliance” made any steps towards monitoring what goes on in update packs containing obfuscated code?
Alliance members scan all new apps and also updates to those apps. What is needed to detect subsequent executable payloads being delivered to apps that are already on users’ devices is on-device protection and detection. This is also the approach that is required to detect risky or malicious apps coming from third-party app stores.
We also see quite a lot of adware popping up on the Play Store and spreading in millions of devices via sets of apps before it is noticed and uprooted. Oftentimes, we see advertising SDKs being the culprit, tricking the app developers too. Again, why does this continue to be such a persistent issue on the Play Store?
As the enterprise leader in mobile security, Zimperium’s customers are not as concerned with adware as they are with more targeted and dangerous threats like mobile phishing, malicious networks, and device compromises. Having said that, our solutions detect adware on user devices and also in the apps our clients produce themselves.
On users’ devices, customers want to detect ad networks primarily to protect privacy. When it comes to the apps being developed for customers, Zimperium zScan will notify our customers of any SDKs (and other privacy and security risks) during the development cycle. This prevents developers from either purposely or accidentally installing an adware SDK into the app.
In recent years, stealthy spyware has left a dent in the field, especially the most sophisticated solutions like that made by FinFisher or the NSO Group. Can Zimperium’s product protect activists, journalists, and advocates of freedom of speech against these spyware tools?
Since its inception ten years ago, Zimperium has been zealously focused on preventing targeted attacks like those mentioned with Zimperium zIPS’ machine learning-based, on-device detection.
On desktop platforms, we often see malware attempting to disable security solutions before it acts. Have you ever had to deal with such a threat on mobile? How do you approach this possibility in general?
We approach it by having our machine learning-based solution on device. Attacks occur at machine speed, so you have to be able to respond at machine speed. Being on device, we can detect attacks like malware and notify the security team before the malware has an opportunity to take defensive actions against us. For security solutions that are cloud-based, there is a delay where the malicious app can disable protection, and the attacker can also cut off access to the cloud-based detection.
Where do you stand on the Android vs. iOS debate when it comes to security? Is Google starting to take the lead, or is Apple still the king of privacy and security?
Inherently both platforms are more secure than traditional endpoints, but they are still platforms and therefore are vulnerable to attack. As an example, there have been more security patches produced for iOS and Android over the last couple of years than there have been for traditional OSs like Windows.
If you look at the four major attacks on the mobile - device, network, phishing, and malicious apps - the only one that Apple has a slight edge in today is with apps. And this edge has more to do with the prevalence of third-party app stores on Android than it is about App Store or Play Store vetting.
If you were to give our readers a single piece of advice on how to stay safe when using their smartphones, what would that be?
Obviously, protect your mobile device with a mobile threat defense solution, like zIPS. That said, do not jailbreak or root your device. The minute you do - even if it is for legitimate reasons - you have left the doors open and the alarm off. Secondarily, set your phone to not connect to every Wi-Fi network that it meets automatically.