The CSIAC Podcast - Mobile Security – Part 1 of 2

In the past five years alone, the amount of mobile data has grown eighteen fold (Cisco Mobile VNI, 2017). Security concerns are at the forefront due to the reliance on mobile devices for both business and personal use, along with the ever-increasing data usage. There are two concepts of mobile security; physical and data. Physical security can consist of theft, over-the-shoulder techniques, biometric passcodes, and others. Data security deals with downloading applications containing malware, unpatched and vulnerable software, Bluetooth vulnerabilities, and open Wi-Fi spots. This video podcast and companion article will give you an overview of the current threats to mobile device security and what you can do to mitigate them. With an ever growing dependence on mobile devices, the security of these devices is paramount. This is part 1 of a 2 part series on mobile security. Part 2 is available here: https://www.csiac.org/podcast/mobile-security-part-2/

Threats to your mobile security

General Threats

Mobile devices face a diverse range of security threats as they have become increasingly sophisticated. Our reliance upon these devices in personal and business settings alike has also drastically increased. As such, our awareness of mobile device threats must increase substantially in order to better secure ourselves. Threats to mobile devices fall into three general categories that are composed of physical threats, malware, and network-based threats.

Physical

Theft of mobile devices is an ever present concern that users must be cognizant of. Unlike bulky desktops and servers, mobile devices can easily be picked up and walked away with. Not only are phones increasingly expensive with a high resale value, but they also typically contain sensitive information on the user and/or company one works for. When mobile devices are stolen it is possible for attackers to gain access to the contacts stored on the devices, text messages and chat logs, call logs, and passwords to identify the owner of the devices. In a study conducted by Deloitte (2017), forensic analysts were able to identify the owner of the device in seventy-five percent of the cases where a user’s phone was stolen. Even more concerning is the fact that after these stolen phones are wiped/factory reset (usually before they are resold), analysts were able to retrieve contacts from the phone along with the original owner’s email address in sixty percent of the cases (Deloitte, 2017).

Malware

It should be known that malware targets not only desktop computers but also mobile devices as well. There are a variety of threats targeting mobile devices that can be relatively harmless or pose a major threat to the security of user data and organizations. For example, the effects of mobile device malware may include spamming contacts on a user’s contact list with a significant amount of messages, draining the user’s battery until the device cannot be used, and editing, copying, and removing sensitive files (Kearns, 2016). Additionally, malware may turn mobile devices into zombies (proxy machines used to attack other users) or be used to spy on users. While users may believe that antivirus will protect them from these threats, they should know that they will typically be the first line of defense. Detection of malware is difficult on mobile devices as it is easy to get around signature-based detection since mobile applications can easily be updated and repackaged creating a brand new signature. As such, user education and training are important to recognize and defend against malware on mobile devices.

An example of a recently uncovered threat that highlights the risks of malware targeting mobile devices is known as Marcher. Marcher is a banking Trojan targeting Android devices. The threat has been active since 2013 but has recently reemerged in January of 2017 targeting customers of Austrian banks. Users first receive a “bit.ly” link that directs them to a false Bank Austria login page. If users do not realize that this is not the legitimate version of the site, they may then enter their email address, phone number, and other customer details into the page later used in a social engineering attack. In the social engineering attack, users are sent an email with the previously entered information informing them that they must install a new Bank Austria application or else their account will be locked due to new EU money laundering guidelines. The second part of the attack allows attackers to install the Marcher banking Trojan that allows them to steal user information, view the location of the device, lock the device, modify files, and send SMS messages (Palmer, 2017).

Three other recent examples of malware for mobile devices are the ToastAmigo malware exploit, Xcode Trojans, and Lazarus compromised applications. The ToastAmigo Malware exploit has recently been plaguing the Android mobile market. This malware uses “overlay vulnerabilities” to install malicious applications on user devices, delivering various payloads and installing monitoring software. The overlay feature of Android allows for applications to overlay input screens over normal legitimate applications. These overlays contain confirmation buttons that can be disguised as legitimate application interfaces and will allow the malicious application to gain escalated privileges on the mobile device (Olenick, 2017). Upon gaining these privileges, malicious payloads can vary depending upon the specific privilege gained.

Cybercrime groups are beginning to realize the widespread nature of mobile devices and are now targeting them. The McAfee Mobile Research team recently stated that they believe the Lazarus cybercrime group have begun targeting users of mobile devices. Examining the code, tactics, techniques, and procedures, researchers believe Lazarus is responsible for creating malware that disguises itself as an application for reading the Bible in Korean. The attack method stands out as it is different than traditional email-based attacks. Although the application did not appear on the Google Play Store, it was installed more than 1,300 times by users (Han, 2017). As the users continue to adopt and move to mobile devices, attackers looking to take advantage of vulnerable devices will follow.

In a more creative and malicious attack, the XcodeGhost vulnerability in iOS was an intentional vulnerability built into applications, sometimes without the knowledge of the application developer. Due to the high demand for the Xcode application development interface for iOS application development, users in China were downloading the Integrated Development Environment (IDE) from third party hosts. This third-party hosted IDE had been compromised in a way that would compile iOS applications with malicious code that would gather device information to be sent to attackers remotely. Information such as network information and specific hardware information were all sent to a remote central command server, once the application had been installed and run by a user. This vulnerability is especially troubling due to the delivery method, being unknowing iOS application developers (Ducklin, 2015).

It is important the users pay attention to the applications that they have installed on their devices identifying those that are no longer needed. Users will often leave old and unused applications installed on their mobile devices. While it is important to update applications to remove any vulnerabilities that may exist, it is just as important to delete applications if they are no longer used. Old applications are a security concern as they could contain malware that uses device memory and leaks data to a third party. According to Collett (2017), both Apple and Android security teams have frequently been removing potentially malicious and copyright infringing applications from their stores. Users must continue to check the status of these applications and monitor what they have installed to decrease the risks presented by malicious applications.

Network

Wi-Fi networks present a significant risk to users of mobile devices. Users may be tempted to join Wi-Fi networks to avoid costly cellular data charges. However, publically available Wi-Fi networks are typically not secure, leaving communications unencrypted. Attackers may additionally attempt to trick users into connecting to networks that they control by deploying fake access points. The access points controlled by the attacker will have names that are the same or are similar to those of existing access points to trick users into accidentally connecting. Once connected, an attacker has a wide range of options available to them. They can steal user login and credit card information, redirect users to malicious websites, and alter data all without user’s knowledge (O’Donnell, 2017). Exacerbating this problem is the fact that users commonly use the same login credentials on multiple websites. It is commonly suggested that individuals use a Virtual Private Network (VPN) to keep their traffic encrypted, yet VPNs present their own risks.

Although it is recommended that users encrypt all of their web traffic using VPN applications on their mobile devices, many of these applications may reveal user data. VPNs promise that user’s data will be harder to monitor by third parties as all user traffic will be tunneled through a secure, encrypted, private network. However, the company that authored the VPN application is given access to your data and controls how your traffic is logged and to whom it can be given. A recent study conducted by Australia’s Commonwealth Scientific and Industrial Research Organization, found that eighteen percent of mobile VPNs (of the 283 tested) did not encrypt the private network tunnels that they created (Newman, 2017). Furthermore, three-quarters of those applications tracked users through third-party libraries, while eighty-two percent requested excess permissions to user’s data (Newman, 2017). When selecting VPN applications, users should first do their research to determine if the company making the app is reputable and has a history of protecting user’s privacy before rushing into a solution.

When discussing network threats to mobile devices, the recently discovered KRACK Wi-Fi vulnerability cannot be overlooked. Researchers recently discovered a flaw in Wi-Fi Protected Access 2 (WPA2) that allows individuals to view and potentially alter network traffic traversing Wi-Fi networks. KRACK or Key-Reinstallation AttaCK is an attack that targets any device that transmits data over a Wi-Fi network, meaning both Android and Apple iOS devices are at risk (Krebs, 2017). The vulnerability exists in the four-way handshake that is executed when clients/devices join a WPA2 protected network. Targeting the third part of this four-way handshake attackers can collect and retransmit signals containing cryptographic handshake messages to break encryption (Mimosa, 2017). While this attack can be carried out against an extremely large number of devices, there are steps users can take to protect themselves.

Defending against KRACK can be done using a variety of methods. First users should know that an attacker would have to be within range of your access point and the communicating device to carry out the attack. Moreover, there are already additional protections in place to prevent these communications from being intercepted. Communications are protected with Secure Socket Layer (SSL) encryption in addition to WPA2. Users can examine their communications to verify that in their browser the URL starts with https and contains the lock symbol indicating SSL is being used. If users would like, they can take this protection a step further by using a browser add-on/extension that forces communication to be encrypted, bypassing the default for the site (Krebs, 2017). Users should also take the necessary steps to patch their mobile devices. Google and Apple have already released patches for devices, but owners of Pixel and Nexus devices should be aware that the November 6th patch does not affect their devices (Mimosa, 2017).

Other Attacks

Intra-Library collusion is a relatively new threat to mobile device user’s privacy. Researchers from Oxford and Cambridge recently published a paper describing a privilege escalation attack on the Android operating system. In what the researchers call intra-library collusion, separate libraries can acquire escalated combined privileges on a device when they are used in multiple applications (Taylor, Beresford, & Martinovic, 2017). Each application will have its own set of permissions granted by a user during install. These permissions are required by applications so that they can successfully run and access needed information. However, libraries will also get the same privileges as the running applications. As such, malicious code that is included in one application could use the shared libraries from other higher privileged applications to perform malicious actions like harvesting users’ data (Taylor, Beresford, & Martinovic, 2017).

In addition to intra-library collusions, a second recently reported attack involved the tracking of users with ultrasonic beacons. Ultrasonic beacons are audio beacons that operate in the eighteen to twenty KHz frequency range. Users may inadvertently give permissions to applications that allow those applications to track them using high-frequency ultrasonic sounds picked up by the phone’s microphone. Researchers in Germany identified four different scenarios in which applications can use ultrasonic side channels to intrude on the privacy of users. The four scenarios included using ultrasonic beacons that are emitted from televisions to record the viewing habits of a user, tracking users across devices, determining where a user is inside a store, and de-anonymizing users when they visit websites by sending ultrasonic beacons (Arp, Quiring, Wressnegger, & Rieck, 2017). For example, in the scenario involving television, ultrasonic beacons can used to mark digital media. When that digital media is played, an application listening using the device’s microphone can identify the content being played, the time it was broadcast, and where it was broadcast from (with information included in the audio signal). Combining this information with other publically available information obtained online, attackers and advertisers can track users and create highly targeted messages (Arp, Quiring, Wressnegger, & Rieck, 2017).

Mobile Scams

A significant threat to users of mobile devices is scams. A recent study conducted by First Orion (2017) revealed that in the past two years the number of scam calls to mobile phones has quadrupled. One thousand U.S. mobile phone users were surveyed regarding unwanted calls, and more than half of the individuals surveyed believed that the cell phone carrier should be responsible for blocking fraudulent calls and text messages (First Orion, 2017). While users may feel this way, they are ultimately responsible for protecting themselves from this threat. To better defend themselves, it is important that they know the common scams carried out by attackers.

A common scam that users need to be aware of is the ‘one ring’ wireless phone scam. If you have ever had your cell phone ring once and then mysteriously stop you may have been targeted by this scam. In the one ring mobile phone scam users phones will ring once, and then the caller will hang up attempting to get the user to call them back. The number left on the user’s phone looks as if it is a domestic phone number with a three digit area code. Individuals fall victim to this scam when the recorded phone number is called back. Instead of being connected to a domestic number inside the United States, callers are connected to an international line (usually located in Canada or the Caribbean) and charged exorbitant fees (Federal Communications Commision, 2017). If targeted, users should either call their telephone company to try to refute the charges or file a free complaint with the FCC.

Even more concerning is that fact that scammers and identity thieves are becoming more innovative. Noticing that individuals can walk into a cell phone store, claim that their cell phone was lost or stolen, and get a brand new phone with the same number, attackers have begun carrying out SIM swap or SIM splitting attacks (Wiggers, 2017). Attackers first attempt to get a user’s bank account information by purchasing it off of the black market, from successful phishing attacks, or using publically available information to answer user’s security questions. Once they have they user’s bank account information, they will masquerade as the victim and call the victim’s mobile phone company reporting that their phone has been lost or no longer works. When the mobile phone company cancels the SIM card of the old phone, the attacker will activate a new SIM card using the victim’s phone number. Any text messages sent to the victim’s phone number will be directed to the attacker’s phone allowing them to make bank account transfers that require text message authentication (Federal Communications Commission, 2017).

Mobile phone users may also commonly be targets of robocalls and fake text message scams. In fact, robocalls and unwanted text messages are top complaints to the FCC. The chairman of the FCC Ajit Pai has stated that the FCC receives over 200,000 complaints every year regarding unwanted phone calls (Reardon, 2017). The problem is that attackers can easily and cheaply set up automated dialers to make robocalls from difficult to trace offshore locations (Reardon, 2017). Users, however, can protect themselves by not responding to these calls and text messages, especially if they ask for any sensitive information. They should file a complaint with the FCC and attempt to block future calls and texts by placing their number on a do not call list. When in doubt do not take the risk, instead users should call banks or credit card companies directly (using known numbers) to verify the legitimacy of calls/texts.

How to Recognize Fake Apps

Regardless of whether users have an Apple or Android device, it is critical that they can spot fake applications. Last year during the holiday season numerous counterfeit applications appeared on the in Apple’s App Store. Foot Locker, Dollar Tree, Christian Dior, Nordstrom, and other applications were created to prey upon unsuspected users. While many of these applications annoyed users more than anything by creating pop-up ads, there are serious dangers of downloading fake applications (Goel, 2016). For example, earlier this year a fake application posing as Super Mario Run was released for Android devices. The fake application contained the Remote Access Trojan (RAT) DroidJack. Once downloaded to a user’s device, DroidJack or SandroRAT allows attackers to steal information such as user’s contacts and text messages, take video, record calls, and snap pictures (Arghire, 2017). It is essential that users can spot fake apps to protect themselves from these risks.

Five essential steps should be taken when attempting to identify a fake application. The first of these steps is looking to see how many times the app has been downloaded (Kovacs, 2014). Illegitimate applications will tend to have very few downloads, especially when compared to actual applications. Actual applications will typically have been downloaded tens of thousands of times. While the download count is not the best metric to depend upon when trying to assess if an application is legitimate, users can get a sense of the applications popularity and in some cases determine the number of downloads over time. Yet, it is still imperative that users perform additional research before downloading an application.

The second way that users can identify a fake application is by looking at the date that the application was published. When downloading an application, the date that the application was published will be listed on the download page in the application marketplace. A good indication that an application may be fake is if the application was recently published. Legitimate applications are typically well established, meaning that they have been around awhile and are consistently updated by the developers (as such the version number of a genuine application will typically be above 1.0). Though, it is important that users are aware of the difference between when an application says it was published and when that application was updated. Instead of stating that an application was recently published, a real application will state that it was updated on a certain date (Graziano, 2016).

Similar to examining the date that the date that a specific application was published, users can also view who published the application to determine an applications authenticity. It is not uncommon for malicious/fraudulent applications to be published by publishers who have similar names as legitimate companies. For example, an application masquerading as the legitimate Overstock.com was instead published by Overstock Inc. (Graziano, 2016). Users can protect themselves by visiting the publisher’s website for retail applications like the previously mentioned Overstock.com. It is not uncommon for companies who have released a mobile application to have a link to the application on their website. When in doubt users can open a web browser and download the application using these links. An additional benefit of downloading applications using this method is that users will typically be redirected to a trusted marketplace such as Google Play or Apple’s App Store (Graziano, 2016). However, further information can be gained by looking to individuals who have previously downloaded and used applications.

Reviews of an application should be examined when trying to recognize a fake application. Users should look at both the positive and negative reviews left by individuals who have previously used the application. Other users who have downloaded the application before may leave reviews that warn users of fake apps or complain about numerous pop-ups, instability, and other indicators of a malicious application. While numerous positive reviews may indicate that an application is safe to download, it is important to be aware that developers of these applications may also leave fake reviews. Illegitimate reviews left by application developers are typically very short and make generic blanket statements (Kovacs, 2014). On the other hand, a sign that users are dealing with a fake application is if the application has a limited number of reviews or no reviews at all. In accordance with the number of downloads and published date, limited reviews may indicate that an application was recently put on the app store to mislead users. Reading through positive and negative reviews, while checking the quantity, will give users insight into the quality of the applications that they are downloading and how long that application has existed.

The fifth and final step is to look for spelling mistakes, unauthentic logos, and improper formatting when evaluating applications. Fake applications are often created in countries outside of the United States. Graziano (2016) mentions that a large portion of these applications are produced in China. As such, looking for spelling mistakes in the title and description of applications can help identify applications created by developers that speak English as a second language, an indication of potential illegitimacy. In addition to creating an application with names similar to authentic products and retailers, fake applications may attempt to spoof developer or product logos. While by themselves these steps may not be effective, when combined, users can better avoid falling victim to threats presented by fake applications.

Protecting Your Data

With the wide range of threats targeting mobile devices, users must take the appropriate steps to defend themselves. Mobile data can be protected using defenses that fall into four main areas which include encryption, physical defenses, software, and policy.

Encryption can be a standard of data protection that devices should implement at a very minimum. End-to-end encryption ensures that one’s data is never sent in the clear or in plaintext. Although this practice is recommended, not all applications implement end-to-end encryption within their designs. Thus, if a mobile user is connected to an insecure Wi-Fi access point, then sensitive data from the application may be transmitted in plaintext through the insecure access point. It is of paramount importance that mobile users manage what access points their mobile devices will connect to keep their data safe. However, some technologies have been recently developed to help users in this endeavor. Google’s Project Fi has developed a feature named Wi-Fi Assistant that will automatically set up a VPN encrypted connection when using unsecured Wi-Fi networks on a mobile device (Oakley, 2016). Android and Google are provided this free VPN service to allow for the automatic protection of user data from rogue access points. Within the iOS operating system, there are also VPN features that must be enabled manually by the user that also provides this level of protection.

As mentioned previously, one of the primary threats to the security of mobile devices is theft or physical access. Users can begin by strengthening the authentication required to gain access to their device. Using multiple factors of authentication which include something you are, something you know, and something the user has, the safer their data will be. For instance, passwords or swipe patterns are something you know, smart cards are something you have, and fingerprints or facial features for biometric recognition are something you are. Each of which can be combined to add additional layers of security that an intruder must bypass. Though, numerous attacks on biometric authentication have been reported. As such, users must remember to set strong passwords in combination with other forms of authentication. Strong passwords should be over eight characters in length and contain uppercase, lowercase, and special characters (Kovacs, 2014). In this same regard, mobile users must make sure to properly secure their mobile devices to prevent theft and/or unattended physical access to their devices.

In addition to taking steps to strengthening user authentication, mobile users should also take steps to ensure data protection if the device is lost or stolen. Users should have the remote tracking and management enabled on their devices. One of the most prevalent examples of this tracking is the iPhone application Find My iPhone, an application that shows users where their device is currently located using GPS. Users can also enable so-called self-destruct features that will remotely erase all data that is stored on a phone when it is lost or stolen. Yet, if users do not wish to utilize these features, they should still consider encrypting their devices to protect the data on their device. Encryption will make the data stored on the device (including sensitive information) unreadable until it is decrypted with the appropriate password. Mobile devices may activate the previously mentioned self-destruct feature after the encryption password is entered wrong too many times. For further protection, users should also ensure that they have disabled lock screen notifications which may leak sensitive information when the device is locked. For example, by default applications such as Apple Wallet may be able to be accessed even after the user has locked their device (Koff, 2017). By encrypting data, using tracking and self-destruct features, and hiding notifications/access to applications users can better restrict access to sensitive device data.

While it is important that users protect their devices from unintentional physical access, users must also be able to protect their mobile devices from both intentional and unintentional threats presented by software. Making sure that applications and mobile operating systems are always up to date is, of course, extremely important. Latest operating system vulnerabilities and application vulnerabilities are being constantly patched to ensure the protection of user data. Mobile application developers must constantly be aware and update their applications accordingly.

In regards to mobile applications, it is also important that mobile user be aware of application’s permissions within the mobile operating system. An application’s access to storage, phone calls, camera, microphones, etc. must all be considered when installing applications. For example, a crossword gaming application does not need access to the mobile device’s microphone or camera. Most mobile operating systems contain setting menus to edit individual app permissions. It is recommended though, that users consider these permissions when first installing the applications and making decisions at that point. Users must also be fully aware of the source in which they are installing applications. Untrusted third-party sources are available to download and install applications. However, these untrusted sources may have faulty or malicious versions of otherwise harmless applications that may even behave normally.

In an example of malicious attackers gaining access to data, the LeakerLocker ransomware attack. Ransomware occurs when attackers hold personal data in exchange for currency. In most cases, ransomware attacks will encrypt data with high-end encryption techniques, giving the encryption key to users once they have paid the ransom fee. LeakerLocker, however, does not encrypt the mobile device user data. Instead, this attack relies upon unknowing users to grant extra permissions to the application upon installation. After installation, the application will lock access to the phone and only allow the user to enter a credit card number for ransom payment (Ruiz & Chen, 2017). This attack reinforces best user practices and awareness when installing mobile applications.

Mobile device users may take some additional steps to secure their devices such as installing an antivirus application that is designed solely to protect mobile operating systems and user data. These apps often passively monitor mobile device usage and make users aware of such things like insecure Wi-Fi hotspots, applications that have unneeded permissions, web browsing monitoring, and other features. Additionally, mobile device owners may wish to set up alternate profiles on a single device for guests and others to use without accessing the owner’s personal data.

Within corporate environments with proprietary data at risk, it is important that companies create mobile security policies. By establishing mobile device security policy, management and other individuals within an organization will have written documentation that can be referred to regarding threats to mobile devices. The policy can then be consulted if there are any questions regarding what is to be expected from users when they bring mobile devices into an organization and the necessary steps taken to protect individuals from current threats, especially useful when training employees and creating controls. These policies should contain sections pertaining to proper use of mobile devices including internet usage corporate network access, data storage, and operating system security (Guérin, 2008). For example, employees should be required to record the identifying details of wireless devices, sign an acceptable use agreement before joining (continuously monitored) networks, have antivirus installed on these devices, and if company owned, devices should be wiped after individuals leave. If there are any questions as to what the mobile device security policy should contain, users can consult established research and governance frameworks and NIST guidelines (Kearns, 2016). By having policy in place that can be clearly understood and referenced, users can better understand what is expected of them lessening the risk to proprietary data.

Summary

To better protect themselves, users must first understand the threats that target mobile devices. Mobile devices are only increasing in popularity, putting more users at risk of losing their devices or having them stolen, falling victim to malware attacks, and having their data intercepted and modified in transit across networks. As such, it is important that users are educated on how to identify fake applications, common scams, and the proper ways to configure their devices to avoid these threats. As our reliance upon this devices increases in our day to day lives, so must our awareness.

References

1. Arp, D., Quiring, E., Wressnegger, C., & Rieck, K. (2017). Privacy Threats through Ultrasonic Side Channels on Mobile Devices. 2017 IEEE European Symposium on Security and Privacy (EuroS&P). Paris:IEEE. doi:10.1109/EuroSP.2017.33
2. Arghire, I. (2017, January 16). DroidJack Masquerades as Super Mario Run for Android. Retrieved from http://www.securityweek.com/droidjack-masquerades-super-mario-run-android
3. Cisco Mobile VNI. (2017, March 28). Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2016–2021 White Paper. Retrieved from https://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/mobile-white-paper-c11-520862.html
4. Collett, S. (2017, August 1). Five new threats to your mobile security. Retrieved from https://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-security.html
5. Cranor, L. (2016, June 7). Your mobile phone account could be hijacked by an identity thief. Retrieved from https://www.ftc.gov/news-events/blogs/techftc/2016/06/your-mobile-phone-account-could-be-hijacked-identity-thief
6. Deloitte. (2017). Mobile devices. Retrieved from https://www2.deloitte.com/ie/en/pages/risk/articles/mobile-devices-security.html
7. Ducklin, P. (2015, November 9). Apple’s XcodeGhost malware still in the machine…. Retrieved from https://nakedsecurity.sophos.com/2015/11/09/apples-xcodeghost-malware-still-in-the-machine/
8. Federal Communications Commission. (2017, September 8). ‘One Ring’ Wireless Phone Scam. Retrieved from https://www.fcc.gov/consumers/guides/one-ring-wireless-phone-scam
9. First Orion. (2017, July 20). Infographic: Scam Call Fast Facts. Retrieved from http://firstorion.com/infographic-scam-facts-7-17/
10. Goel, V. (2016, November 06). Beware, iPhone Users: Fake Retail Apps Are Surging Before Holidays. Retrieved from https://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before-holidays.html
11. Graziano, D. (2016, November 09). How to spot fake iOS and Android apps. Retrieved from https://www.cnet.com/how-to/how-to-spot-fake-ios-and-android-apps/
12. Guérin, N. (2008, May 29). Security Policy Template [PDF]. Retrieved from https://www.sans.org/reading-room/whitepapers/pda/security-policy-handheld-devices-corporate-environments-32823
13. Han, I. (2017, November 20). Android Malware Appears Linked to Lazarus Cybercrime Group Android Malware Appears Linked to Lazarus Cybercrime Group. Retrieved from https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/
14. Kearns, G. S. (2016). Countering Mobile Device Threats: A Mobile Device Security Model. Journal of Forensic & Investigative Accounting, 8(1), 36-48. Retrieved from http://web.nacva.com/JFIA/Issues/JFIA-2016-4.pdf
15. Koff, D. (2017, November 10). Minimize Risk While Surfing the Web on Your Phone. Retrieved from https://medium.com/s/the-firewall/securing-mobile-devices-part2-c11d39644557
16. Kovacs, N. (2014, August 18). How to Spot a Fake Android App. Retrieved from https://community.norton.com/en/blogs/norton-protection-blog/how-spot-fake-android-app
17. Kovacs, N. (2014, October 20). Theft-Proof Your Mobile Data. Retrieved November 20, 2017, Retrieved from https://community.norton.com/en/blogs/norton-protection-blog/theft- proof-your-mobile-data
18. Krebs, B. (2017, October 16). What You Should Know About the ‘KRACK’ WiFi Security Weakness. Retrieved from https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/
19. Mimoso, M. (2017, November 8). Google Patches KRACK Vulnerability in Android. Retrieved from https://threatpost.com/google-patches-krack-vulnerability-in-android/128818/
20. Newman, L.H. (2017, February 8). Beware: Most mobile VPNs aren’t as safe as they seem. Retrieved from https://www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/
21. Oakley, P. (2016, September 14). WiFi Assistant can secure manually connected non-secure networks as of Play services 9.6. Retrieved from http://www.androidpolice.com/2016/09/14/wifi-assistant-can-secure-manually-connected-non-secure-networks-play-services-9-6/
22. O’Donnell, A. (2017, January 31). The Dangers of Evil Twin Wi-Fi Hotspots. Retrieved from https://www.lifewire.com/dangers-of-evil-twin-wi-fi-hotspots-2487659
23. Olenick, D. (2017, November 9). ToastAmigo malware uses new twist to attack Toast overlay vulnerability. Retrieved November 30, 2017, from https://www.scmagazine.com/toastamigo-malware-uses-new-twist-to-attack-toast-overlay-vulnerability/article/706640/
24. Palmer, D. (2017, November 6). Android security triple-whammy: New attack combines phishing, malware, and data theft. Retrieved from http://www.zdnet.com/article/android-security-triple-whammy-new-attack-combines-phishing-malware-and-data-theft/
25. Reardon, M. (2017, July 19). Why am I getting so many robocalls?. Retrieved from https://www.cnet.com/news/robocalls-telemarketing-consumer-protection-fcc-do-not-call/
26. Ruiz, F., & Chen, Z. (2017, July 7). LeakerLocker: Mobile Ransomware Acts Without Encryption. Retrieved from https://securingtomorrow.mcafee.com/mcafee-labs/leakerlocker-mobile-ransomware-acts-without-encryption/
27. Taylor, V. F., Beresford, A., & Martinovic, I. (2017, August 11). Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones [PDF]. Retrieved from https://arxiv.org/pdf/1708.03520.pdf
28. Wiggers, K. (2017, July 6). Here’s how to stop SIM fraudsters from draining your bank account. Retrieved from https://www.digitaltrends.com/mobile/sim-swap-fraud-explained/