A report published today by Zimperium, a provider of a platform for securing mobile devices and applications, today finds devices running the Android operating system that have enabled root-level privileges are 3.5 times more likely to be attacked, resulting in 250 times more cybersecurity incidents.
The granting of privileged access on mobile devices, known as rooting, has significantly declined since the providers of these devices have added capabilities that limit who can modify system files, install specialized applications, or remove restrictions put in place by the manufacturer or a telecommunications carrier.
However, there are still enterprise IT organizations that for one reason or another continue to allow root access that can then be used to install various types of malware.
Kern Smith, vice president of global solutions at Zimperium, said that once cybercriminals gain access to an Android device, they can then easily access any number of third-party applications and services using credentials found on that device.
It’s not clear how many organizations are deploying software on Android devices that require root access but many of them are not following best application security practices that would reduce the level of attacks targeting them. The one clear thing is cybercriminals are getting more adept at discovering devices that are configured in a way that makes them easier to compromise using tools such as Magisk, APatch, KernelSU, Dopamine and Checkra1n.
More challenging still, detecting attacks against devices that have enabled rooting is difficult because many of the tools that cybersecurity teams rely on today only conduct cursory scans for indications of compromise, noted Smith.
As cybercriminals avail themselves of advances in artificial intelligence (AI) the sophistication of attacks is also only going to increase, while the cost of launching attacks continues to approach near zero, he added. More of those attacks are now being aimed specifically at mobile computing devices that are often not as secure as other endpoints, said Smith.
Unfortunately, mobile devices and application security are still often taken for granted. Organizations tend to assume that providers and these devices, application developers and telecommunications service providers are doing more than they are actually able to secure them. Applications running on these devices are, as a result, especially tempting targets because the level of DevSecOps maturity that exists among the organizations building and deploying them can vary widely.
Additionally, it’s still not always apparent who, within an organization, is responsible for application security. Cybersecurity teams tend to focus more on securing networks on the assumption that application development teams are securing software. Conversely, application developers will assume that cybersecurity teams are securing, not just platforms and networks, but also the software running on them. The end result can be a situation where no one is specifically held responsible for application security.
On the plus side, a lot of application security progress has been made in recent years. The challenge now is making sure those efforts extend out to mobile applications are now arguably the soft underbelly of cybersecurity that adversaries have learned to easily exploit.
