Check Point mobile security data shows devices can come pre-installed with malware

Their research shows that some devices are infected before users have a chance to do it themselves.

Nearly to the end of our mobile security data review, with Check Point being the fourth security vendor that I spoke to for this project (which has been super illuminating).

They provided me with a whitepaper that had a little bit of relevant data, and I also spoke with Ran Schwartz, product manager of mobile security, and Brian Gleeson, head of threat prevention product marketing.

And, much like all the other vendors, I did find something new to mention regarding mobile security data.

What data did Check Point provide?

The first bit of mobile security data comes from their 2017 mobile threat research report, which covers the period between July 2016 and July 2017. They looked at 850 organizations that had a minimum of 500 devices. I also reviewed their publicly available 2018 mid-year trends report and Ran and Brian provided some data from an internal analysis of their business customers that ranged in size from 1,000 devices on up to 60,000+ devices each.

Their 2017 data shows that 54 is the average number of malware attacks per organizations, with 100% of organizations suffering an attack during the period. The latter data point isn’t all that surprising given the large deployments their customers have. Where is malware most distributed in the world? Check Point broke down the percentage of malware distributed by region: 39% for the Americas; 28% for Europe, the Middle East, and Africa; and 33% for Asia-Pacific countries.

From their cyberattack trends 2018 mid-year trends whitepaper, I found one interesting bit of info: more and more malware is coming pre-installed from the factory. Before users themselves have a chance to do something stupid, their device is already infected. Forty-two low-cost smartphone models had the Triada Banking Trojan. Meanwhile, millions of devices from a variety of manufacturers like Huawei, Xiaomi, Vivo, and Samsung had RottenSys, mobile adware disguised as a secure Wi-Fi service, already on their devices.

In a call with Ran Schwartz, product manager of mobile security, he explained the biggest malware threat is from something they called “generic malware.” This type of malware doesn’t focus on just one capability or class (e.g., like an info stealer or mRATS), but can be repurposed once on a device, as needed. For example, maybe the attacker originally used it to try and gain access to your banking info, but now it will be used to spy. Check Point data shows that more unique generic malware is discovered on devices than all other malware. Back in January 2016, when it was still fairly new, they saw nearly 60,000 unique samples. Naturally the number of unique generic malware has fallen, but every month in 2018 they discovered over 1,000 unique samples, with August (4,917) and November (4,378) reporting the highest counts. For comparison, other malware, like cryptominers and ransomware, registered in double digits or lower each month.

Ran also explained that malware follows human trends as for when we see their proliferation. For instance, cryptominers didn’t really come into existence until December 2017 when the craze began and the number of unique cryptominer signatures out there dipped with the drop in interest in cryptocurrency, with it seeing a recent surge again in late 2018. (They track the unique hashes to determine unique malware downloaded on devices protected by Sandblast Mobile.) In December 2017, Check Point saw 68 unique cryptominers on customer devices, with it going down to single digits through most of 2018 and rising up to 27 in December.

The number of unique ransomware also followed similar trends, with the high being in August 2017 with 14. Then, outside of April 2018 (98) and August 2018 (45), unique ransomware signatures dropped to merely one each month last year. Ran explained that ransomware is most prevalent on Android and doesn’t lead to much impact to businesses from a financial perspective—really more of a productivity problem. For enterprises that provide devices (instead of BYOD), most data is saved in the cloud and on the backend rather than locally on the device itself, so you just reset an affected device.

Ran was attending a conference when he spoke with me and told me he agreed with something a third-party vendor told him: 2017 was the year of ransomware, 2018 focused on cryptomining, and 2019 will be the year of phishing. Many mobile threat defense vendors seem aware of this as they are developing mobile phishing solutions.

Since adding phishing protection on Android a couple years ago and more recently iOS, Check Point has seen organizations get targeted with 150 to 300 SMS phishing messages each month. Attackers are now also target messenger apps like WhatsApp and Telegram that users often believe are more secure.

Additional data points
The mobile threat research report shows that 89% of organizations had a least one Man in the Middle attack during the year. Ran admitted this isn’t the most surprising number, but he did confirm that they don’t count captive portals or content filtering—just true malicious attacks for this percentage. Additionally, 75% of organizations had at least one jailbroken or rooted device, with the average per company being 35 devices.

One final data point is that for customers with more than 500 devices, 20.21% of those devices experienced what Check Point classifies as a high risk or medium risk event. Yes, it’s a combination of two different levels, but still worth noting. A high event is a malicious app or SSL attack, while medium risk events can be more wide ranging. Some potential medium risk events that these devices could experience include a device-tracking or rooting tool is installed, non-market app found on device, Android device not updated with latest security update, and iOS device has a developer or enterprise certificate installed.

Always interested in more data to dig around in

While I’m winding down the research, having spoken with multiple security vendors, I’m always interested in any additional data.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.