Back to Insights
Beaver: Learning the Right Lessons from ExpensiveWall Android Malware
October 15, 2017 | Mobile Access and Device Management
By Kevin Beaver, IANS Faculty
Security vendor Check Point recently discovered a new type of malware running rampant across the Google Play Store. Dubbed ExpensiveWall, this malware masqueraded inside rogue wallpaper apps and monetized itself by sending illicit SMS messages and charging user accounts for fraudulent services. ExpensiveWall affected at least 50 apps on Google Play and is one of the largest Android-related exploits on record.
I’m normally not big on what I consider niche security flaws such as this. Instead of getting off in the weeds with every flaw/exploit on every platform like so many in our industry do, I find that mastering the basics and addressing the big stuff with tangible business consequences is a better strategy. A review of the recent Equifax and SEC breaches/debacles underscores the importance of this approach. Still, in the case of ExpensiveWall, there are some good lessons to be learned. The big question is: How is such malware even able to execute given the mobile security controls enterprises have at their disposal?
It starts with BYOD. Users being free to choose which mobile devices they use and how they use them facilitates many of the problems. This is exacerbated by no – or under-implemented – mobile device management or unified endpoint management controls. If users are not being set up for success through technical controls to help protect themselves from the bad decisions they’re making, the inevitable result is obvious. In too many situations, users are calling the shots and making decisions about security that they shouldn’t be involved in. They’re downloading random apps and, in the case of ExpensiveWall, they’re enabling dangerous permissions that give the criminals access to the mobile devices. Regardless of who owns them, users are essentially doing what they want, when they want on their devices. That doesn’t seem like a very solid (or defensible) approach.
Paper pushers will say, “We have a policy against this or that, so we’re safe.” My response is: Great, how’s it working for you? Policies, schmolicies. Top-notch security paperwork means very little. In the typical enterprise, users are completely out of the loop. They’re not being properly trained on what to do and what not to do. They’re not being set up for success in many situations and that’s on IT and security teams the business leaders put in charge.
The ExpensiveWall malware was removed pretty quickly from Google Play, but it showed back up again soon thereafter. Just because Google (or any vendor for that matter) removes rogue apps from their app store, it doesn’t mean your security problems are immediately solved. In fact, it’s likely the beginning, since malware has to be cleaned up (if you even know it’s there), expenses for illicit or bogus charges may have to be paid or reimbursed by the company, and formal incident response procedures may have to be invoked depending on the situation.
If you’re in charge of information security, you need to keep an eye on these threats. Like politics, if you don’t take interest in them, they’ll most definitely take an interest in you – and your business at some point. Sure, you can’t control every user and every device, but you can shore up the gaps that are in your environment right now. Figure out what they are, come up with a plan to address them, and see it through until the business risks are minimized. If a security incident still surfaces, at least you’ll know in good conscience that you’ve done what needed to be done in order to minimize its impact.
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.
| Faculty Reports
Infosec in 2019: What to Expect in Enterprise Mobile Security
| Faculty Reports
IANS Topic Guide: Building a Better Mobile Security Strategy
Secure a BYOD Initiative Across Both Android and iOS
| Tools & Templates
Mobile Policy Template