By Shane Tews

For the past several years, Nokia’s annual Threat Intelligence Reports have highlighted the most pressing cybersecurity risks to internet-enabled devices. According to the 2020 and 2021 reports, malware infections on both computers and mobile devices are on the rise—specifically through downloadable software that poses as something helpful or fun for users. Yet antitrust proposals in Congress would weaken mobile device protections at this critical time by forcing all hardware manufacturers to accept unvetted software applications (apps) in their digital marketplaces—a practice known as “sideloading” that has been called out by the Department of Homeland Security.

On the
latest episode of “Explain to Shane,” I sat down with Kevin
McNamee, head of Nokia’s Threat Intelligence Lab, to address the technical
challenges sideloading brings into the process of keeping a secure mobile
ecosystem, along with how users of internet-enabled devices can better protect
their financial and other personal data.

Below is an edited and abridged transcript of our talk. You can listen to this and other episodes of “Explain to Shane” on AEI.org and subscribe via your preferred listening platform. You can also read the full transcript of our discussion here. If you enjoyed this episode, leave us a review, and tell your friends and colleagues to tune in.

Shane Tews: Kevin, talk to us about Nokia’s
latest Threat Intelligence Report.

Kevin
McNamee: Nokia has a product that we deploy in carrier networks around the
world that’s designed to monitor network traffic and look for evidence of
malware infections. That’s where the data for these reports come from. Certain
customers will share aggregated anonymized data and feed it back in. We cover
mobile networks along with some fixed broadband networks, so that gives us a
good scope for figuring out what’s going on. We’ve been producing the reports
for the past couple of years and they’re usually quite well received. The key
thing is: It’s real data from live networks.

Over the
past few years, we’ve seen malware infections shifting from traditional laptops
and personal computers to smartphones, because that’s now the primary device
most people use to access the network for communications, email, banking, etc. Typically,
malware will follow the money and the platform people are using for their
network connectivity.

We’ve also
noticed Internet of Things (IoT) is a big area that’s starting to expand. Particularly
with 5G networks coming along, there’s an anticipated great expansion of the
number of IoT devices deployed out there. So that’s an area we’ve been looking
at fairly closely and expect to see more malicious activity going forward.

Is there anything you recommend consumers
think about when buying these IoT devices? I realize a lot of them are probably
used by enterprises, but our focus is more on people buying things for their
houses and daily lives.

There’s a great variety of IoT devices. I think ones consumers would be concerned about are mostly devices they would deploy inside their homes. Things like your smart fridge, thermostat, and door-opening stuff are relatively well-protected from what we’ve been looking at lately, which is IoT botnets. These tend to attack devices that are visible from the internet. And there’s a lot of activity going on there because as soon as these botnets infect a device with malware, it starts scanning and looking for other devices. When it finds one, it compromises and adds them. So the botnet sort of grows with time, which has been an issue.

But as I
said, for the general consumer, it’s not so much a problem because the
attackers aren’t really trying to break into residential homes and infect smart
fridges. They’re mostly interested in internet-enabled, internet-visible
devices. Still, some people have discovered that their video surveillance
cameras they’ve deployed outside their homes have been hacked and now anyone on
the internet can view what’s going on in their driveway. So, I’m not saying it
doesn’t happen, but it’s not as big as the IoT botnets that are used in these
massive distributed denial of service attacks and things you’re more likely to
see from professional cybercriminals.

Pivoting to mobile, why does Apple have a
better reputation than Google’s Android when it comes to device security?

It’s due to
a couple of factors. I think first of all, both companies have actually done a
pretty good job of securing the device itself. If you compare it, for example,
to some legacy personal computer platforms, those were completely wide open
with very little control over who was allowed to write apps for them. You could
get apps from anywhere. You could do whatever you wanted, and they had a fairly
substantial malware issue.

Apple and
Google have secured these devices by making the apps that run on them part of a
sandbox environment in which they only basically impact themselves. They can’t
see other apps on the device. They can’t get access to the disc storage devices
or the memory that’s used by other apps. So they’re fairly isolated. And even
if they go rogue, the damage they can do is fairly limited.

I think
Apple has had more success in creating a secure environment because they’ve
basically secured the app supply chain. If you want to get an app for an
iPhone, the App Store is the only source. Anyone can write an app for the iPhone;
you just have to meet the criteria that Apple sets. You have to go out and get
a developer’s license. They give you a certificate that you can use to sign
your app. You submit your app to Apple, they check it out, make sure it matches
their policy, make sure there’s no malware in it, then they make it available
in the store.

Google has also taken steps in recent years to do that, but they’ve taken a slightly different approach. They’ve come out with Google Play Protect, which is built into the Android. When you install an app, whether it comes from a third party or from Google Play, it will verify that the app is suitable for installation and that it does not contain malware. That’s a slightly different approach, but those are the two main things: a secure environment and a secure app supply chain.

What are the security challenges posed by
sideloading? Currently, that’s something you can do on an Android device, but
not on an Apple one (unless this legislation in Congress passes).

The reason
we are even talking about apps in a security context is because the phones
themselves are pretty much secure. Phones have been hacked using network-based
attacks and a bunch of different vulnerabilities, but that’s not the common
way. The most common way to get malware onto a smartphone is by sticking it on
an app and getting someone to download it. That means it’s the supply chain for
the apps that people are trying to attack.

Apple is
completely locked down. By default, most Androids will have smart sideloading
turned off when you buy them, so you have to go to Google Play to get the apps.
But I think it’s valid that the user can choose what they want to put on their
device. It’s their device after all. So they can turn on sideloading if they so
choose in Google’s ecosystem.  

A lot of app
stores are very good and safe and that’s fine, but some are not. There’s also
the possibility that I could send you, for example, a web link that you click
on and it’ll install an app on your phone. That leads to this type of activity
where people are sending phishing attacks, emails, and text messages with links
saying “click here to get the app.” People do that, then they get into trouble
with malware on their devices.

You recently had a news release about banking and malware threats being on the rise. What’s going on there?

There are
different types of malware. I think the malware that goes in and steals your
money or your identity is certainly the highest threat level, so you have to
take extra care. A banking Trojan can literally empty your bank account in a
matter of minutes if it manages to compromise you. There’s other types of identity
theft too. If people get in and take things like your Social Security number
and other personal information, they can use that to open up accounts and do
other things. So there’s more than just the banking Trojan. Anything that gets
at your identity can be a major problem for you.

There’s also
ransomware. For a smartphone or laptop owner, ransomware is not such a big
issue because all you really have to do is make sure you’ve got a backup. If
your phone just falls out of your pocket and gets run over by a bus, it’s gone.
If you get ransomware in your phone, and it encrypts all your data, it’s
equally gone. If you have a backup, it’s pretty straightforward to fix that.
But with the banking Trojan, once the money is gone, it’s going to be difficult
to replace.

If I were to accidentally download malware
or a Trojan app, how could I remove it once I realized I made a mistake? 

For the most
part, it’s actually quite simple because most phones have an “uninstall”
feature for apps. Just doing that will get rid of, like, 90 percent of the
malware you’d potentially get on your phone. But apps can also disguise and
protect themselves from being uninstalled. They can sort of bury themselves
deep within the operating system and out of sight. With those, you can always
do a simple factory reset on the device, which sets it back to the way it was
when you bought it. That will clean off any additional apps that were installed
after you purchased the device. Then—and here’s the dangerous part—if you want
to restore an app from whatever cloud you store your stuff in, you don’t want
to go back and reinstall the malware. You want to think carefully about the
things you put back on your device.

If all else
fails, you can also do a hard reset on the device. You can take it in and have
it reflashed, which is where you take it back to where you purchased it and
they do a hard reset. That’s another option when all else fails.

The post How to Better Secure Your Mobile Device: Highlights from My Conversation with Kevin McNamee appeared first on American Enterprise Institute – AEI.