While the first generation of mobile threats was primarily using vectors and methods seen in the PC world, we are beginning to see new threats specifically designed to exploit mobile devices. The threats is not just malicious apps, but also regular apps that are vulnerable to attacks.

Until now, the centralized software distribution model seen with the AppStore and Google Play has helped protect our devices from malware. This concept came as a lesson we all learned from the PC, where software distribution is not controlled and so malware is common. Apps on official stores are less likely to be malicious, but it doesn’t mean they are not vulnerable to attacks.

Hackers love to find vulnerabilities. Almost every software program has vulnerabilities that are waiting to be discovered and mobile apps are not an exception. As official app stores make it difficult for hackers to directly upload malicious apps, they have instead begun hunting for vulnerable apps to attack.

Vulnerable Apps are not always removed from the App stores and as many have been left unmaintained by developers, creating an opportunity for hackers to exploit them.

New threats will emerge

As a result I expect to see a rise in the discovery of mobile app vulnerabilities during 2015. Here are a few examples:

• Voice activation – Voice activated software is a standard feature on smartphones and are also appearing in smart TVs and other Internet-connected devices. However many of the implementations are vulnerable to voice activation attacks. This is because it does not authenticate the source of the voice – it could be you speaking, or equally it could be a synthesized voice coming out of an app – yes, even a game can play a sound an send an email to your contacts on your behalf.

• Mobile browsers – For the average user, browsers on mobile are very difficult to operate. Small screens mean you see only a fraction of the URL, making it easy disguise a malicious URL. Drive-by infections, which are well known to PC users, will soon come to mobile users as well. Not surprising, mobile browsers are also vulnerable to JavaScript exploits that can be triggered by a hacker remotely. That could mean streaming video to or from a device, even if it is locked.

• Radio-based threats (Wi-Fi, Bluetooth, NFC) – mobile devices are constantly broadcasting over radio frequencies in order to connect and transfer data. Rough access points and over-the-air sniffers can capture transmitted data, reply with malicious content or even modify the values in the data over-the-air.

• Masque Attacks and malicious Profiles – as mobile users have less visibility on the files being downloaded on the device, like the running processes and settings, hackers will continue to use these limitations to mislead the user to download and install malicious files to their devices from outside the Appstore. However apps on app store are also vulnerable and I predict the number of malware detections from recognized app stores to increase in 2015.

Data will become more valuable and more threatened

Mobile devices are much more personal than our PCs ever could be. The data on them is much more intimate and is a much more rewarding target for hackers. In 2015, I expect data, especially that held on our mobile devices, to come under much greater scrutiny.

In particular, I foresee three threats to our data in the coming year:

• Physical tracking – criminals or law enforcement can use location data stored on your phone to identify important places (such as home or place of work), analyze behavior such as a daily route or absence from home.
• Data stealing – in mobile, everything is broadcast through the air, that means data is vulnerable to being intercepted as it travels. Credentials, financials, transactions or payments can all be captured and recorded by 3^rd
• Commercial tracking – mainly done by retailers to better understand the behavior of their visitors. Think online analytics but for the physical world.

Payments will also go mobile

The public’s positive reception of Apple Pay heralded a new phase of consumer payment methodology. Although Apple is not the first to introduce mobile payment, their offering came at a good time and the implementation seems to be practical and secure.

As mobile payments are a new experience for consumers, I expect to see social engineering attacks where hackers will try to confuse and mislead in order to steal credentials and personal data. This is expected to be the first phase of attacks. Once consumers are more familiar with the technology, attacks on vulnerable apps and even on the payment services are expected to soar.