Symantec Mobile Threat Defense: Using Mobile to Stay One Step Ahead of PC Attacks

If daily headlines about cyber breaches teach us anything, it’s that hackers will try any way to infiltrate an organization and get their hands on sensitive data.

In recent years, mobile has served as a particularly attractive attack vector. With more and more people relying on their mobile devices for work, and with security teams having less visibility or control over BYO devices, mobile has offered attackers a less-scrutinized way to penetrate corporate assets (networks, devices, apps, etc.). While mobile devices themselves are vulnerable to threats such as malicious apps, SMS phishing, risky Wi-Fi networks, and others, mobile can also take part in attacks that target traditional endpoints in your organization.

Harmful PC Files on Mobile

Employees access corporate data on their mobile devices, anywhere and at any time. Consider that one of the first things someone does in the morning is check their email/messages on their phone. Then they may access apps, chat with colleagues or friends, or continue reading emails on their morning commute. As employees move from one place to another, their mobile devices automatically connect to various networks which they then use to access corporate resources. Think about how much data may be accessed even before an employee opens their laptop or desktop at work. This access continues throughout the day, making mobile an attractive target for cyber-attacks.

Here’s where it gets more complicated. While employees are increasingly conducting business transactions on mobile devices, through corporate apps such as Salesforce or Outlook, sometimes mobile devices may be accessing data from apps that are not monitored by IT, such as encrypted instant messaging apps, wireless sharing, and personal email. Malicious actors can use these unmanaged apps to send harmful files to victims. In most cases, if an organization’s mobile devices are protected by a mobile threat defense (MTD) solution, then malicious files on mobile will be detected. But if these files are harmful only when executed on a PC, chances are they’ll evade standard MTD detection.

Consequently, an employee might open one of these files on their traditional endpoint (laptop or desktop) giving attackers access to corporate resources without security teams having any visibility over it. For example, an employee may get via their WhatsApp (or another unmonitored messaging app) what appears to be an innocent file – but is actually a malicious PDF – from the infected device of a colleague or friend. The sender may be unaware that their device is infected, and the receiver, trusting the sender, will try to open the file. As the PDF might not appear or open properly on the receiver's mobile device, the victim may try to open it on their laptop. Alternatively, if the file seems fine, the employee may pass it on to another colleague via Slack, and from there the colleague may open it on their PC.

If proper security controls are not in place in the organization, opening the file on a traditional endpoint can have hazardous consequences. Attackers can leverage this attack vector to cause greater damage throughout the organization, moving laterally through the network and searching for key data to steal.

Since various types of PC malware such as spyware, viruses, worms, trojans, and others generally do not impact mobile devices as they do PCs, these threats avoid raising any red flags in terms of mobile security. The real risk occurs when these files reach traditional endpoints. As mobile usage increases, the chance of files sent from mobile devices being opened or shared on traditional endpoints increases as well.

An Extra Layer of Visibility

Symantec, one of the only vendors that provides a solution for both modern and traditional endpoints (laptops and desktops, as well as iOS and Android devices) and is a market leader in both, protects against exploitation from all malicious files no matter what endpoint or platform your employees are using. We utilize our endpoint detection engines and technology everywhere your employees access corporate data – mobile, desktop, email, and network, and give both security teams and end users an additional layer of visibility over their threat landscape.

Our mobile threat defense (MTD) solution, Symantec Endpoint Protection Mobile (SEP Mobile), uses deep intelligence on file reputation to detect harmful PC files on Android devices. Reputation insight comes from Symantec’s Global Intelligence Network (GIN), the largest civilian threat intelligence database in the world, covering telemetry from more than 175 million endpoints.

Detection of malicious PC files is a standard component of any anti-virus solution for traditional endpoints, but SEP Mobile uniquely brings this capability to mobile. Beyond protecting organizations from malware that directly affects their mobile endpoints, we protect organizations from malware that uses mobile as a gateway into an organization’s other machines and assets. SEP Mobile catches the threat on the modern endpoint, which is not at risk, to minimize the chance that the threat gets to the traditional endpoint that is at risk.

Visibility over PC malware on Android enables security teams to reduce the attack surface: they can proactively stop the threat in the early stages of the attack, as opposed to responding to it only after malicious actors have penetrated the organization and spread to other assets. Customers benefit from added visibility, which they didn’t have before, over a platform where their end users are very much engaged. On top of that, improved visibility contributes to prevention because end users are alerted to the threat and therefore know not to download or open malicious files on their traditional endpoints.

Forensics for Threat Hunting

In every harmful PC file incident detected by SEP Mobile, we provide granular forensics on the malware family and its path on the device. The SEP Mobile management console includes a brand new “Files” threat family, which contains the harmful PC file detection and other file-based threats.

In the example below, SEP Mobile detected PC malware on an Android device in one of our customer environments. We can see in the forensics that the malicious file is a Trojan, it was sent to the end user via the popular messaging app Telegram, and the user first saw or opened this file on their mobile device. The forensics also reference further information from Symantec’s security research center on the virus and its consequences when executed on a PC.

These incident forensics allow threat hunting on other endpoints, for example, in cases where the same file received on mobile was copied or opened on a traditional endpoint. Admins can see how the malware spread and what other users and devices it was sent to, therefore helping them make smarter decisions on the best course of remediation.

Protection Across All Endpoints

SEP Mobile’s harmful PC files detection supports our vision of providing holistic protection across all endpoints in an organization. Rather than perpetuating silos that have existed between different endpoints, as has been generally done in mobile threat defense, Symantec combines preventative and automated detection and response that delivers protection across all your company’s endpoints. Our detection of PC malware on mobile joins a host of other powerful detections that use telemetry from Symantec’s GIN to catch threats that others can’t. We provide visibility on threats before end users open them on traditional endpoints, enabling organizations to always stay one step ahead of attackers.