The Boy Who Cried Mobile Malware
“2013 is the year of mobile malware!”
“2014 is the year of mobile malware!”
“2015 is the year of mobile malware!”
None of the past predictions about it being the year of mobile malware have come true. This has given companies and end users a false sense of mobile security. But will 2016 be the real year of mobile malware?
Past scare tactics and speculation have made IT numb and slow to take proactive protection measures for when the wolf turns out to be real and the sky actually starts falling. What can change the current state of being?
Our attention will be captured by the exact thing that got us to pay attention in the early 2000s: ILOVEYOU.
We Did Not Always Care About Viruses
It’s true: Business PCs were connected to the outside world for years before they were equipped with antivirus protection. It was the ILOVEYOU virus that made everyone stand at attention and take up arms. When a virus infects 55 million unsuspecting users, causing an estimated $10 billion in economic damage, you don’t go back to bed so easily.
IT was awakened to the new world of vulnerability that ILOVEYOU wrought on businesses. Quite frankly, it should not have been the wake-up call it was. The writing was already on the wall with several smaller viruses such as Michelangelo and Melissa, which made headlines in the 1990s.
History Is Repeating Itself
To date, we can safely say that mobile malware has been more of an annoyance than a major headache. In 2010, malware began targeting the most modern OSs. Jumping a few years to 2015, you could easily find news headlines filled with mobile malware:
- Stagefright was distributed as a multimedia text message and threatened up to 950 million smartphones.
- KeyRaider stole over 225,000 accounts and thousands of certificates, private keys and purchasing receipts
- XcodeGhost put nearly 500 million users at risk, primarily in the Asia-Pacific region.
- YiSpecter was the first malware to attack non-jailbroken devices by abusing private APIs.
These threats represent the Michelangelos and Melissas of the modern mobile computing age. If history is prone to repeating itself, we know ILOVEYOU_MORE isn’t far away.
Misunderstanding Mobile Malware
One of the largest misconceptions around mobile malware is that it isn’t influenced by PC malware and thus may not be as threatening. But while the differences between PC and mobile malware vary, and certain malware types remain within their particular domain, there are instances of malware that are easily translatable between the two or that can originate in one system and infiltrate the other.
One such malware type is a remote-access Trojan (RAT), which infects a connected mobile device and burrows through the security perimeter of an organization to infect PCs.
Additionally, very sophisticated cybercriminals are using spear phishing to target influential individuals who are all about app usage for running business. With the growth of application use — and the lack of stringent app policies and permissions awareness — attackers are swimming in opportunities to infiltrate organizations and gain control of mobile devices.
Many organizations simply see mobile malware as a one-off threat that’s detrimental only to a single user rather than part of a coordinated enterprise attack. By the time IT sees the mobile threat, the damage is already done across the ecosystem.
The Industry Wakes Up
Realizing the mobile malware threat is very real, the analyst community is leading the market in education. “The Forrester Wave: Enterprise Mobile Management, Q4 2015” had this to say about threat management:
“When a threat compromises one device or app that an employee uses, there are immediate implications for any other corporate system the device or app is connected to. [Infrastructure and operations] pros and their security peers need unified threat management — or visibility and control across all of the employee’s workforce tools — providing the ability to take action immediately and reduce the potential threat.”
Is 2016 the Year of ILOVEYOU on Mobile?
We don’t know for certain that the ILOVEYOU malware will make a comeback, but the warning signs and swell of news coverage have risen exponentially since the calendar flipped. Consider these three factors: The number of mobile devices will grow, the number of mobile app downloads is already in the hundred-billion range and half of all companies have dedicated zero budget to security during mobile app development.
ILOVEYOU 2.0 isn’t certain, but I wouldn’t bet against it.
What You Should Be Doing About Mobile Malware
Here are some final tips and considerations when deciding whether to be the windshield or the bug:
- Don’t underestimate less intimidating malware such as adware. It’s rapidly becoming weaponized.
- Have a mobile threat management solution tied to a broader enterprise mobility management product. This will allow for the detection and remediation of mobile malware.
- Move from a consumer to a corporate app store and restrict third-party app downloads to only trusted, manufacturer-approved apps. This approach could limit the number of apps with baked-in malware.
- Take inventory of all corporate apps and then scan the code for vulnerabilities.
- Implement a comprehensive mobile security policy for all employee devices, ensuring ease of use is in equal balance with security.
- Educate employees on the types of mobile malware the same way the analysts are teaching IT. Let them know how malware can infect their tablets and phones, the signs to look for and company solutions to stop these threats.