Mobile cybercrime vectors: Zero-Day Attacks – not really zero-day
The mobile zero-day vulnerability is a disclosed mobile-software vulnerability that hackers can exploit to adversely affect mobile applications, data, additional mobile devices or a cellular network. Zero-day is commonly used to refer to the reality in which the software's author has zero days to plan and advise mitigation against the uncovered flaw exploitation.
The vulnerability window exists until the completion of a phased resolution process consisting of (1) detection and study of new exploit; (2) development of an encountering solution; (3) release of a security patch; (4) distribution and installation of the patch on users’ devices.
However, the reality is much more complex as hackers enjoy favorable terms:
A long time passes between the discovery of the exploit by the hacker and the discovery of it by the mobile software vendor.
Long time periods between the time a threat is uncovered and the time software vendors release patches.
Partial resolution of known vulnerabilities due to response urgency.
Cybercriminals tend to share extensive information on current exploits.
Manufacturers are slow to respond given the fragmentation of the Android market.
Vendors have at times no interest to publish and confront exploits.
Users are not aware of the risks and the mitigation against their exploitation.
In some instances, users have no alternatives, but to keep on using the vulnerability affected software.
These dynamics lead to a much wider vulnerability window. Delayed patches can range from several weeks for mobile OS up to years for network related gaps such as the SS7 network security breaches. During this time, vulnerabilities lead to the shadowy installation of attacks. Once on the device, they may enable the attacker to steal passwords, corporate data and emails, activate the microphone to listen in on conversations and meetings, capture keyboard activity and screen information, or act as a botnet to steal contacts or text messages.
As such, organizations need a solution that can mitigate the impact of zero-day mobile exploits in real-time. The secretive organization cannot rely on commercial devices that are bound to the manufacturer’s resolution timelines. Only devices that provide trusted hardware and custom operating system with the complete flexibility to publish same-day security patches provide true risk mitigation to today’s threat landscape.