There’s no denying that mobile malware is soaring. In 2014, mobile security firm Lookout reported that the number of malware attempts on mobile devices jumped a staggering 75%.
Android users are, unsurprisingly, taking the brunt of it – with around two million forms of Android malware, one in five Android users have encountered at least one mobile threat in the last year, according to security firm Kaspersky, which identifies roughly 5,000 new samples every day.
But alongside these scary statistics, other experts are claiming that mobile malware, as endemic as it might be, is not really that serious a threat.
In amongst the usual ‘doom and gloom’ of its annual breach report, wireless telecoms provider Verizon declared, in a section called ‘I’ve Got 99 Problems and Mobile Isn’t Even 1% of Them’ that the major malware exploits ‘just aren’t happening.’
Though the firm detected hundreds of thousands of malware infections, these were mostly ‘adnoyance’ type programs that simply irritate users with unwanted adverts. Other forensic companies like FireEye also say that mobile devices just don’t show up in their investigations.
Despite its volume and veracity, Verizon and FireEye paint a picture of mobile malware as a cloud of tiny, annoying ticks and parasites that pose no real threat to information security.
So just how concerned should enterprise IT be about mobile malware and the potential threat to their business’s information?
David Kennerly, threat researcher from cyber security firm Webroot, argues that it would be niave to think that mobile malware doesn’t pose a significant security risk for companies.
‘There is a real concern that enterprise decision makers may misinterpret recent reports and not take mobile security as seriously as they should,’ says Kennerly.
The recent case of ‘Gunpoder’ [sic] also highlights a new technique of the malware writers. This piece of malware disguised as a game emulator app looked and behaved like adware- all while stealing personal information from the infected Android device, which the cyber criminals then used to commit phishing attacks.
‘Many AV companies classified this malicious app as adware and many users thinking that adware was ‘more annoying than dangerous’ allowed the app to run,’ says Kennerly.
Don't rest of your laurels
Even when a piece of malware poses no real threat, as Paul Briault, senior director, Solution Sales, Security at CA Technologies points out, they can certainly be a threat to a business’s brand name and reputation, and shouldn’t be overlooked by any company that cares about its customers.
CA’s recent study conducted by Vanson Bourne showed that more than half of enterprises surveyed released at least four customer-facing apps last year.
‘In the fast-paced application economy, the pressure on organisations to quickly launch apps to meet customer demand is greater than ever,’ says Briault. ‘As app and brand become interlocked in organisations’ digital success, enterprises need to be able to provide user experience that matches or surpasses what is experienced in physical stores and premises, on social networks and on web sites – ensuring applications are malware and unwelcome adware free, should be a key part of that effort.’
And while a large percentage of mobile malware may be adware, that doesn’t mean more serious threats don’t exist.
‘A significant proportion of malicious mobile software seen in the wild today is adware, but it would be very foolish to lower our defences based on this observation,’ argues Kennerley. ‘Does more adware mean mobile devices are less likely to be infected with more serious malware variants? The answer is no.’
It’s not just malware either. Many legitimate apps have been seen over the last few years to be open to serious data leakage. One example is the discovery of Android’s ‘Stagefright’ vulnerability – pegged as ‘the worst Android bug to date.’
Receiving a simple MMS message with crafted exploit code, and without any interaction from the victim, a hacker is able to do anything from stealing private communications to possibly taking control of the device itself.
A different ball game
However minor the threat from malware might seem from a consumer perspective, the game changes when malware is brought into an enterprise environment, as Lookout’s vice president of products, Aaron Cockerill argues.
95% of UK businesses allow employees to use personal-enabled mobile devices for work purposes. While this trend enables us to work more flexibly and therefore more productively, keeping these devices secure is a growing challenge.
‘Just consider the nature of the mobile devices,’ says Cockerill. ‘These devices are always ‘on’ and have a consistent set of features which makes them an ideally designed surveillance tool, including microphones, high resolution cameras, embedded GPS and multiple network types – including WiFi, cellular and bluetooth. The average smartphone also has the capacity to hold gigabytes of data.’
In an enterprise, this data is often highly sensitive and valuable, especially when you consider the prominence of BYOD programs and mobile devices entering the workforce for enterprise and governments alike.
‘While mobile threats have not yet reached the same scale as PC threats in the workforce,’ says Cockerill, ‘remember that mobile is a much newer platform in general and therefore it’s also new for the bad guys.
Meanwhile, we have absolutely seen growing sophistication and number of mobile threats over the last few years. It would be unwise for any company to close their eyes on mobile as a threat vector. The reality is that most enterprises do not have the tools to detect these threats today.’
Crossing the gap
So should security professionals be focusing their energies on this low-level malware?
‘No security pro should not focus on low-level annoyances,’ advises Cockerill.
‘They should focus on malicious threats – examples include data exfiltrating trojans, surveillanceware, aggressive adware that collects contact data to launch phishing attacks and root enablers that compromise OS integrity and device security mechanisms.’
The key is being able to distinguish between what’s ‘low level’ and what’s seriously bad – and then developing a security strategy that meets your organisation’s risk profile and risk tolerance.
In fact, Fortune 500 companies are already experiencing these malicious threats on their devices. Lookout recently ran a study of mobile devices associated with the global networks of 25 Fortune 500 companies across the UK and US and found that 5% of Fortune 500 devices encountered a serious mobile threat over the past year.
By ‘serious mobile threat,’ this does not include chargeware or adware but instead focuses on trojans, surveillanceware and root enablers.
> See also: How to stop macro-based malware in its tracks
‘This highlights one of the main weaknesses we’re seeing today: There are serious gaps in existing models of security, which are failing to account for the scale, complexity and intelligence of mobile threats that are present today,’ says Cockerill. ‘In other words, there’s a lack of visibility into the mobile threats that enterprise are experiencing.’
Looking forward, mobile malware can’t be ignored. But IT needs to address the problem of mobile malware proportionately, with appropriate insight, and without going ‘overkill’ on the problem.
‘The mobile industry had the benefit of learning from the PC era and therefore designed mobile devices to be less vulnerable to attack,’ explains Cockerill. ‘An example of this is the fact that on iOS and Android apps are far more isolated from one another and undergo a high level of security scrutiny.’
However, mobile is a highly dynamic industry and as the use cases and value of these devices continues to evolve, so do their threats – the increasing amount of valuable information available on mobile has resulted in these devices being prime targets and in threats becoming more sophisticated.
‘Addressing these threats is not easy, and is further complicated by the fact that these devices are ‘personal.’ A successful solution,’ says Cockerill, ‘needs to address mobile threats needs to understand the difference between annoying adware and seriously malicious intent, and protect against it without invading the user’s privacy or negatively impacting their overall user experience.’