Mobile Security & Enterprise Mobility Blog

The Bad, The Ugly & The Good of Mobile Phishing Protection

The Bad, The Ugly & The Good of Mobile Phishing Protection

“The good, the bad and the ugly” is a well-known expression, but when it comes to mobile phishing, I suggest shifting the order. Let’s talk about the bad, the ugly and the good.

The Bad: Mobile Takes Phishing from Bad to Worse

Phishing is one of the most dominant attack techniques in cyber security.  Phishing has a very low barrier of entry, attacks can be set up in minutes and are challenging to detect at scale as sites are taken down or moved just as quickly.

Phishing attacks are increasing in alarming numbers. In 2018, there were 482.5 million attempted phishing attacks, which is more than double the attacks in 2017. The 2018 Verizon Data Breach Investigations report found that 90% of cyber attacks begin with phishing. 

Because email is the most common communication vector for phishing attacks, most organizations have attempted to stop phishing via email or web gateways or next gen firewalls. Even with this form of protection in place, a recent study has found there’s still a lot of room for improvement. Additionally, corporate solutions do not address half of email based threats: those that occur in users’ personal email solutions.

But email isn’t the sole phishing mechanism anymore… mobile devices open up novel vectors for phishing attacks. Hackers phish mobile device users in two primary ways:

  1. Phishing Sites: Not only using email, but also using new mobile communication capabilities (e.g., SMS, messenger services like WhatsApp, social media apps), attackers lure users to phishing sites. Phishing sites are even more difficult to distinguish on mobile to lack of URL visibility in mobile browsers and quite easy to create, as demonstrated by this research paper.
  2. Malicious Apps: Users install a seemingly benign app (usually from a third party app store), and are tricked into granting the app elevated privileges. When the user accesses a well-known brand’s app, the malicious app places a mimicked screen on top of the legitimate app and phishes the user’s credentials.  Novel techniques in recent mobile malware will also attempt to read device notifications to grab two factor authentication messages.

The Ugly: Mobile Challenges Create More Complications

While anti-phishing solutions (those trying to prevent access to phishing sites) like email gateways protect traditional endpoints, there hasn’t been a comprehensive and effective mobile anti-phishing solution. There are many unique challenges around mobile devices that complicate the requirements for an effective mobile anti-phishing solution, e.g.,

  • Directing all traffic to a remote server for inspection is unrealistic, from both a cost and user privacy perspective; ;
  • Limited memory, app storage constraints and CPU resources makes it extremely difficult to refer to static databases of known malicious URLs; 
  • While corporate email accounts may have protection, other messaging channels, personal email accounts and mobile apps do not;
  • Battery consumption is a top priority;
  • Mobile devices have smaller screens and URLs are often hidden, making it harder to distinguish a replica from a genuine site; and
  • Unlike traditional endpoints, mobile browsers don’t have protections to save computing power and battery life.

The Good: Zimperium zIPS is the Solution for Mobile Anti-Phishing 

Having taken all of the “bad” and “ugly” into consideration, Zimperium zIPS is once again leading the industry by providing the “good” – –  the first and only on-device, machine learning-based mobile phishing detection solution.

Solving for all of the mobile phishing challenges, zIPS meets all the following requirements: 

  1. Protects against ‘Zero Day’ and known phishing sites.
  2. Protects the user regardless of vector.
  3. Comprehensive on-device detection capabilities with minimal footprint.
  4. Respects user privacy.
  5. Minimal resource and battery impacts.

Zimperium secures mobile devices through on-device detection, rather than requiring remote servers which can violate user’s privacy and can be undermined when attackers control the network. By combining the new phishing detection with our industry leading detections for the other major attack vectors, Zimperium zIPS is now the only solution that has on-device, machine learning-based detections of both phishing sites and phishing apps, e.g.: 

  1. Phishing Sites: Our proprietary machine learning-based algorithm operates on razor thin resources and provides very high efficacy in detecting bad URLs, even in combating ‘Zero Day’ phishing attacks. 
  2. Malicious Apps: zIPS is the only solution that can detect ‘Zero Day’ malicious app attacks on-device.

Summary

Zimperium zIPS is the only on-device, machine learning-based phishing solution for mobile devices. Backed by zLabs research and millions of mobile endpoints, Zimperium provides complete protection for the 60% of your endpoints that are currently exposed and introducing risk to your organization.  For more information contact us here.  

Madhav brings more than 25 years of experience building and delivering enterprise cyber security products for companies. As Chief Product Officer at Zimperium, Madhav leads all aspects of Zimperium’s products, including product management, engineering and IT/Devops operations.