“2013 is the year of mobile malware!”

“2014 is the year of mobile malware!”

“2015 is the year of mobile malware!”

None of the past predictions about it being the year of mobile malware have come true. This has given companies and end users a false sense of mobile security. But will 2016 be the real year of mobile malware?

Past scare tactics and speculation have made IT numb and slow to take proactive protection measures for when the wolf turns out to be real and the sky actually starts falling. What can change the current state of being?

Our attention will be captured by the exact thing that got us to pay attention in the early 2000s: ILOVEYOU.

We Did Not Always Care About Viruses

It’s true: Business PCs were connected to the outside world for years before they were equipped with antivirus protection. It was the ILOVEYOU virus that made everyone stand at attention and take up arms. When a virus infects 55 million unsuspecting users, causing an estimated $10 billion in economic damage, you don’t go back to bed so easily.

IT was awakened to the new world of vulnerability that ILOVEYOU wrought on businesses. Quite frankly, it should not have been the wake-up call it was. The writing was already on the wall with several smaller viruses such as Michelangelo and Melissa, which made headlines in the 1990s.

History Is Repeating Itself

To date, we can safely say that mobile malware has been more of an annoyance than a major headache. In 2010, malware began targeting the most modern OSs. Jumping a few years to 2015, you could easily find news headlines filled with mobile malware:

  • Stagefright was distributed as a multimedia text message and threatened up to 950 million smartphones.
  • KeyRaider stole over 225,000 accounts and thousands of certificates, private keys and purchasing receipts
  • XcodeGhost put nearly 500 million users at risk, primarily in the Asia-Pacific region.
  • YiSpecter was the first malware to attack non-jailbroken devices by abusing private APIs.

These threats represent the Michelangelos and Melissas of the modern mobile computing age. If history is prone to repeating itself, we know ILOVEYOU_MORE isn’t far away.

Misunderstanding Mobile Malware

One of the largest misconceptions around mobile malware is that it isn’t influenced by PC malware and thus may not be as threatening. But while the differences between PC and mobile malware vary, and certain malware types remain within their particular domain, there are instances of malware that are easily translatable between the two or that can originate in one system and infiltrate the other.

One such malware type is a remote-access Trojan (RAT), which infects a connected mobile device and burrows through the security perimeter of an organization to infect PCs.

Additionally, very sophisticated cybercriminals are using spear phishing to target influential individuals who are all about app usage for running business. With the growth of application use — and the lack of stringent app policies and permissions awareness — attackers are swimming in opportunities to infiltrate organizations and gain control of mobile devices.

Many organizations simply see mobile malware as a one-off threat that’s detrimental only to a single user rather than part of a coordinated enterprise attack. By the time IT sees the mobile threat, the damage is already done across the ecosystem.

The Industry Wakes Up

Realizing the mobile malware threat is very real, the analyst community is leading the market in education. “The Forrester Wave: Enterprise Mobile Management, Q4 2015” had this to say about threat management:

“When a threat compromises one device or app that an employee uses, there are immediate implications for any other corporate system the device or app is connected to. [Infrastructure and operations] pros and their security peers need unified threat management — or visibility and control across all of the employee’s workforce tools — providing the ability to take action immediately and reduce the potential threat.”

Read the complete The Forrester Wave: Enterprise Mobile Management, Q4 2015 report

Is 2016 the Year of ILOVEYOU on Mobile?

We don’t know for certain that the ILOVEYOU malware will make a comeback, but the warning signs and swell of news coverage have risen exponentially since the calendar flipped. Consider these three factors: The number of mobile devices will grow, the number of mobile app downloads is already in the hundred-billion range and half of all companies have dedicated zero budget to security during mobile app development.

ILOVEYOU 2.0 isn’t certain, but I wouldn’t bet against it.

What You Should Be Doing About Mobile Malware

Here are some final tips and considerations when deciding whether to be the windshield or the bug:

  • Don’t underestimate less intimidating malware such as adware. It’s rapidly becoming weaponized.
  • Have a mobile threat management solution tied to a broader enterprise mobility management product. This will allow for the detection and remediation of mobile malware.
  • Move from a consumer to a corporate app store and restrict third-party app downloads to only trusted, manufacturer-approved apps. This approach could limit the number of apps with baked-in malware.
  • Take inventory of all corporate apps and then scan the code for vulnerabilities.
  • Implement a comprehensive mobile security policy for all employee devices, ensuring ease of use is in equal balance with security.
  • Educate employees on the types of mobile malware the same way the analysts are teaching IT. Let them know how malware can infect their tablets and phones, the signs to look for and company solutions to stop these threats.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…