In its recent Global Threat Report, Crowdstrike reported a 21% increase in nation-state cyberattacks in 2020. Crowdstrike is one of several intelligence sources that use mythological labeling of threat actor organizations with loaded emotional connotations like Wicked Panda, Charming Kitten and Cozy Bear. So how ready for Bear should mobile app developers and mobile app security analysts be? Where and why are nation-state actors targeting mobile vulnerabilities?
Long before the SolarWinds breach perpetrated by Russian hackers, nation-state threat actors and businesses with close ties to governments adversarial to the United States such as China, Iran, North Korea and Russia mounted sophisticated, slow and methodical cyberattacks on U.S. government agencies and businesses. A report sponsored by HP showed nation-state cyberattacks doubled between 2017 and 2020, while activity escalated during the pandemic as threat actors sought to acquire COVID-related intellectual property data and attack the supply chain.
More than a dozen states hostile to the United States and its allies are actively involved in launching state-sponsored cyberattacks. In many cases, their objective is to gain long-term persistence on a device to gather information on a target over a period of time. Simply put, compromise of mobile devices by nation-state actors is about collecting massive amounts of personal data aggregated from multiple data sources such as email, contact lists and geographic information. Here threat actors harvest massive volumes of Personally Identifiable Information (PII) such as names, credentials, contacts, geolocation and other data.
Of the key areas of mobile app risk — fraud, theft, privacy loss and espionage — nation-state actors have the skills, resources and motivation to impact all four. Financial crimes or fraud allow regimes under sanction to find alternative funding for illicit activities. Theft of intellectual property such as weapons systems or other technology has long been a priority. By exploiting user metadata, social disruption or political campaigns can be very effective. As digital footprints have become easier to follow and correlate, the game of espionage has changed and mobile has become a key attack vector.
Rogue SDKs Enable Fraud
Recently rogue SDKs have been embedded in thousands of apps found to impact billions of mobile users. In August of 2020, Chinese ad network Mintegral updated a previously safe ad SDK with SourMint fraudware to steal ad revenue while harvesting PII. Found by Snyk with assistance from NowSecure, the Vungle advertising SDK and Vitamio Multimedia SDK enabled remote code execution in popular mobile apps that could be used to redirect to phishing sites, steal IP, harvest PII and more.
China, Huawei and Intellectual Property Theft
Intellectual property theft is a key target for nation state threat actors, particularly with China. In fact their approach to IP theft differs from Russia, a country more interested in influencing people, disrupting systems and sowing social discord. China, however, is more focused on economic strategies. While some of that effort is accomplished through malware and attacks, other efforts are more subversive, requiring an unacceptable surrender of control to many participants.
Huawei, one of the world’s largest global networking companies and telecommunications equipment manufacturers, is labeled a particular threat to intellectual property theft and was banned by the U.S. government in 2019. Access to China 5G technology and networks requires users to accept even questionable terms and conditions to gain access to millions of potential customers. Huawei smartphones certified by Google and launched prior to the ban continue to operate as normal, creating another set of challenges.
“Huawei recently announced it built its own OS called HarmonyOS, and is creating its own mobile app store,” says David Weinstein, Chief Technology Officer for NowSecure. “Allowed unchecked, that new Huawei mobile OS and mobile apps could potentially target U.S. or E.U. users and collect what data it wants largely without asking for permission under the guise of great features and Chinese government-subsidized hardware.”
When Android didn’t have its own built-in flashlight app, clever attackers built flashlight apps “stuffed with random features that depended on Android system permissions and were just a beachhead to collect information,” Weinstein notes. “It is a common tactic for some nation states to collect as much data as possible and find uses for it later.”
“It is a common tactic for some nation states to collect as much data as possible and find uses for it later.” – David Weinstein, NowSecure CTO
Health Data Privacy Violations Worldwide
Many healthcare organizations, medical facilities, pharmaceutical companies, and universities conducting COVID-19 research have been targeted by state-backed hacking groups. Healthcare data is rich in detail and a primary target for threat actors who harvest data. The Cybersecurity and Infrastructure Agency in 2020 issued an alert that advanced persistent threat groups were targeting healthcare and essential services.
Due to the pandemic, the rise of mobile health applications and user participation has skyrocketed. With over 500 million users worldwide, mHealth mobile apps with confidential patient information span mobile-connected IoT, prescriptions, diagnostic and patient management systems.
Mobile data breaches in healthcare over the last two years have included Walgreens and Quest Diagnostics. In addition, a wide variety of COVID-19 information and tracking apps have been found to leak PHI. One such Android app was even found to be ransomware.
Mass Data Collection for Espionage
Due to the threat of espionage, many organizations fear nation-state cyberattacks and regard them as a major threat, blocking mobile apps like WhatsApp from employee and military use.
Well-known social video mobile app Tik-Tok is owned by the Chinese company ByteDance and has raised anxieties about targeted data collection. Amazon, Wells Fargo and both major U.S. political parties have advised employees to avoid the app. An Emirati video messaging app To-Tok was banned by Google twice for being a mass surveillance tool, but remains available with a warning.
The U.S. government also moved to restrict the usage of Chinese social media app WeChat because of data gathering concerns. In 2019, the FBI confirmed the Face App could be a counterintelligence risk due to its Russian developers, mass data and facial image harvesting, and privacy concerns.
Who Is at Risk?
Organizations across a range of industries are at risk including government agencies, technology, cyberdefense, healthcare, finance, media, communications and critical infrastructure. Threat detection and breach tracking methodologies that can be employed by the mobile users themselves are limited compared to those for desktop users (such as AV, EDR, etc). All organizations that deploy or utilize mobile applications must become diligent to build self defending apps and test their vulnerabilities much earlier in the development stage. Organizations that download and use commercial apps from public app stores must protect their supply chain by deploy a mobile app vetting strategy to identify vulnerable apps that could impact their customers, users and employees.
Federal agencies and businesses should take several steps to protect their mobile attack surface for the mobile apps they build, buy and use. With some effort, most organizations can deter even nation-state threat actors from mobile breaches and data collection.
- Conduct a complete supply chain inventory of mobile apps used throughout the organization and assess their risk level through mobile app vetting.
- Insist on the use of security standards for both developing and using mobile apps – NIAP for DoD and OWASP for commercial businesses including continuous security testing.
- Understand upcoming deadlines, requirements and reporting on existing and new cybersecurity regulations such as the new Executive Order.
Contact NowSecure for more detail on how to protect your organization from mobile app risks, the new White House cybersecurity standards, current federal agency and Congressional briefings, or sign up for a free mobile app security test to check your readiness today.