Mobile App Vulnerabilities Persist: HPE Report
Mobile applications’ frequent use of personally identifiable information presents significant vulnerabilities as sensitive information is transmitted, according to the Palo Alto, Calif.-based Hewlett Packard Enterprise’s Cyber Risk Report 2016.
As the number of connected mobile devices increases, criminals have been diversifying malware to target the most popular mobile operating platforms. The number of Android threats, forms of malware and potentially unwanted applications grew to more than 10,000 daily, reaching a total year over year increase of 153%. Apple iOS represented the greatest growth rate, with a malware sample increase of more than 230%.
As the traditional network perimeter disappears and attack surfaces grow, security professionals must protect users, applications and data without stifling innovation or delaying enterprise timelines, the company said.
“We have seen the shift the attackers have made to go directly at the application,” Chandra Rangan, vice president of marketing, HPE Security Products at Hewlett Packard Enterprise, said.
This year’s Cyber Risk Report examined the 2015 threat landscape and provided actionable intelligence around key areas of risk, including application vulnerabilities, security patching and growing malware monetization. The report also highlighted important industry issues such as new security research regulations, the collateral damage from high profile data breaches, shifting political agendas, and the ongoing debate over privacy and security.
“In 2015, we saw attackers infiltrate networks at an alarming rate, leading to some of the largest data breaches to date, but now is not the time to take the foot off the gas and put the enterprise on lockdown,” Sue Barsamian, senior vice president and general manager, HPE Security Products, Hewlett Packard Enterprise, said. “We must learn from these incidents, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to fearlessly innovate and accelerate business growth.”
The report’s other findings included the following:
- Approximately 75% of mobile applications exhibited at least one critical or high-severity security vulnerability, compared to 35% of non-mobile applications.
- Vulnerabilities due to API abuse are much more common in mobile applications than web applications.
- Malware attacks on ATMs use hardware, software loaded onto the ATM, or a combination of both to steal credit card information. In some cases, attacks at the software level bypass card authentication altogether to directly dispense cash.
- More than 100,000 banking Trojans, such as variants of Zeus, ZeuS or Zbot, continue to be problematic despite protection efforts.
- Software vulnerability exploitation continues to be a primary vector for attack, with mobile exploits gaining traction.
- In 2015, Microsoft Windows represented the most targeted software platform, with 42% of the top 20 discovered exploits directed at Microsoft platforms and applications.
The report revealed malware has evolved from simply being disruptive to becoming a revenue-generating activity for attackers. While the overall number of newly discovered malware samples declined 3.6% year over year, the attacks focused heavily on monetization. Ransomware, an increasingly successful attack model, wreaked havoc in 2015, encrypting files of consumer and corporate users alike. Examples of ransomware include CryptoLocker, CryptoWall, CoinVault, BitCryptor, TorrentLocker and TeslaCrypt.
Rangan noted some end-users do not install patches out of fear of unintended consequences. Security teams must be more vigilant about applying patches at both the enterprise and individual user level, and software vendors must be more transparent about the implications of their patches, he said.