Edit This Page

Common Mobile Incidents

Here listed are a number of common scenarios you may encounter when responding to a mobile incident:

  • Mobile malware discovered
  • Device acting suspiciously
  • Device lost or stolen
  • Insider attack via mobile device
  • Support for an internal investigation (e.g., e-discovery, legal hold)
  • Data breach via mobile device

Mobile malware discovered

While mobile malware is overhyped by the security industry, it certainly exists. It is more prevalent in the Android ecosystem due to the ability to more easily distribute and install apps outside the Google Play store.

The two most common mobile malware incidents encountered are:

  1. Malware installed on an individual's device
  2. Malware impersonating your brand

The first situation generally impacts a single or small group of devices that are part of an organization (e.g., corporate-owned devices, employee-owned devices or BYOD, consultants).

In the second scenario, an unauthorized actor generally publishes a mobile app that targets your customers by impersonating your brand. Since this impacts your customers, the response steps vary significantly from an individual incident.

We discuss both of these scenarios in our mobile case studies later in the book and develop incident response playbooks for them as well.

Device acting suspiciously

In many instances, an employee or contractor will inform the IT, security or incident response team that their device is acting suspiciously. This is a challenging scenarios due to:

  • Limited visibility into the device
  • A lack of historical data
  • Any number of possible explanations or causes (and only some qualify as an incident)
  • The sensitive nature of accessing an individual's mobile device
  • Urgency due to potential impact and utility of a mobile device
  • The incident reporter's accuracy

Device lost or stolen

A lost or stolen mobile device is a scenario that is probably the most well understood. Both Android and iOS have built in capabilities for finding a lost or stolen device, locking it and performing a remote wipe.

However, with the information provided in this book, there's opportunity to better understand the potential impact of this type of event provided the security team has access to device properties such as operating system version and a list of installed apps. Armed with this information, a much better understanding of the data at risk can inform the response and resolution of the incident.

Insider attack via mobile device

Detecting insider attacks is incredibly difficult, even more so on a mobile device because the device telemetry data available is limited and security tools are still evolving. The most likely event would involve an individual already under suspicion, and an incident responder being asked to perform an investigation on the mobile device.

Support for an internal investigation

Internal investigations, especially at larger organizations, are fairly common. Examples include:

  • Data theft by a departing employee
  • Employee violation of company policies
  • Litigation freeze or e-discovery request

Data breach via mobile device

As mobile devices play a greater role in the daily operations of large organizations, there is an increased risk of sensitive data (e.g. customer data, PII) being leaked out or breached in an attack. While many incident response teams have well practiced responses for incidents like this involving servers, very few have addressed the growing risk in mobile devices.