There are currently 2 billion smartphone users in the world. These users have amassed over 268 million downloads. It should then come as little surprise that cybercriminals have turned their attention to attacking mobile devices and the users to which they’re attached. Mobile devices infected with malware
currently stands at 1.12% as reported by IBM Trusteer. This malware infection rate has drawn equal to PC infection rates. These figures clearly indicate that there must be money to be made producing mobile malware. We’ll examine the main types of mobile exploits, the motivation behind them, mobile device vulnerabilities (this will shock and appall you), and what users and organizations can do to better protect themselves when going mobile.Mobile exploits
fall into the following categories:
- Phishing exploits to trick users into entering financial or personal info into fake mobile web forms or downloading malware infected apps used to steal sensitive info.
- AdWare – basically harmless, but extremely annoying, sometimes requiring reinstalling the mobile OS.
- Premium-rate SMS fraud - users are tricked into responding to a text message, enabling a module which will start sending SMS messages to premium rate numbers at the user’s expense.
- Malware that locks users out of their devices and essentially acting as mobile ransomware.
The Android platform currently provides the largest attack surface due to the open nature of its APIs. Malware targeting Android is relatively easy to create as well as to monetize. Mobile bots for Android sell for upwards of $5,000 in underground marketplaces. Any of the exploits listed above can add up to a nice windfall for those controlling mobile malware.Android further compounds its vulnerabilities in the exceedingly high number of outdated OS versions that remain in circulation. This appalling state of affairs falls primarily on mobile device manufacturers and wireless carriers. Manufacturers often don’t want to incur the overhead of creating and pushing out newer versions of the Android OS since it requires development effort to create customized versions of the OS for each of their devices.Wireless carriers aren’t keen on increased the increased bandwidth usage required to delivering OS updates. A smaller portion of the blame needs to rest with users that neglect to update in the rare event that updates are available for their device. As a result, ancient versions of Android such as Froyo and Gingerbread are still out there. Mobile cybercriminals drool over such vulnerabilities!Apple’s iOS platform is not completely immune from mobile malware, so fanboys (and girls) shouldn’t get too smug. An iOS-based malware named “XCodeGhost” infects the iOS development platform itself and in turn infects apps produced using it. These infected apps then get uploaded to the Apple App Store unbeknownst to the developer, Apple and ultimately unsuspecting customers. Not to be outdone, Android is targeted by the Masterkey malware which modifies Android app packages (APKs) effectively turning legit apps in malicious Trojans.To state that mobile security is lagging is a laughable understatement. Things get more complex, and subsequently messier, within the enterprise and the prevalence of BYOD policies. Often that’s where Enterprise Mobility Management policies begin and end: bring your own device into work and have at it. So what can be done to protect both business and personal users when going mobile? Below are some key steps
everyone should follow when it comes to downloading mobile apps and using mobile devices.
- Only download mobile apps from legitimate app stores. This comes down to the Apple App Store and Google Play. Organizations may wish to consider creating internal company app stores to house both approved commercial apps and internally-created business apps.
- Keep devices updated. This is easier said than done for the Android platform as previously mentioned, however, opting for Google-sanctioned phones or higher-priced Android phones can make things easier when it comes to timely updates.
- Don’t let your guard down when evaluating potential phishing attacks. The same holds on mobile as it does in PC-land.
- Don’t download apps from music sharing sites or porn sites. This should go without saying, but see first bullet point.
- Don’t root or jailbreak your mobile devices. This disables built-in security features and leaves the device wide open for attack. Sideloading apps is also dangerous. This should be left to developers. Rooted devices should never be allowed on the corporate network.
- Encrypt your devices. Protecting the data at rest on the device will protect it from both malware on the device as well as from thieves if stolen. Stolen devices actually present more of a risk than malware to user data.
- Install anti-malware software on your devices. This only applies currently to Android, but many good options exist, including many free versions.
A perfect storm is brewing with the explosive growth of mobile device usage and a general lack of security awareness when it comes to mobile threats. This is of particular concern in enterprise use cases. For Cybrarians paying attention, this also presents a tremendous growth opportunity for a specialized career track in Enterprise Mobility Management. Get training!