As recently as a year ago, if you asked security, operations and development teams whether the risk from mobile malware was real, you received a mixed response. If you ask the same question today, there is universal agreement that the malware risk is real and growing.

A quick search on mobile malware risk provides countless pointers to both vendor and analyst reports highlighting the growth in this industry. So why have perceptions changed over a short period time?

Mobile Malware Comes of Age

One of the key contributors to the threat from mobile malware is the proliferation of applications that conduct real business using access-sensitive and confidential information. Typical users may have banking, credit card, hotel, airline and corporate applications installed on their mobile devices. This access is secured, at minimum, with username and password controls.

Cybercriminals are practical actors; they follow the money. They are turning their focus and attention to the mobile platform because of the growth in mobile devices coupled with the opportunity to harvest a wealth of information from each device. Unlike work desktops and laptops, which typically contain only job-related information, mobile devices often combine work and personal information and applications.

Watch the on-demand Webinar: 3 Thing You Should Know About Mobile Security

Take a Practical Approach to Mobile Security

The weakest link in security is the user. Cybercriminals are now using attacks and techniques initially targeted at desktop users in the mobile channel. They are experts at social engineering and are executing targeted spear phishing attacks.

Common targets include executives in hopes of stealing usernames and passwords to access valuable confidential information. However, no one is immune. Enterprises should invest in basic mobile security awareness and training for all employees. Best practices include mandating that mobile apps can only be downloaded from public app stores such as the Apple AppStore or Google Play.

There are also popular best practices if your organization has adopted an enterprise mobility management (EMM) solution. Organizations can enforce their own mobile security best practices on mobile devices they manage. This includes requiring a strong device passcode and ensuring devices are running authorized versions of operating systems.

Market-leading solutions also offer advanced mobile threat management capabilities that can detect mobile malware and automatically take corrective action to protect corporate information. Tight integration with other security products such as identity and access management solutions is also an important consideration.

Do All Mobile Applications Require Security Controls?

Organizations need to identify the mobile apps that require additional security measures. Not all mobile applications necessitate the same level of security testing and protection. For example, a business-to-employee (B2E) conference room reservation app may not need stringent security controls.

However, all apps that access sensitive information should be built securely and protected once they are released. Some apps support businesses and consumers in regulated industries such as health care, where patient information must be kept private. Organizations should take a pragmatic approach to mobile application security and prioritize the most sensitive apps.

The pace of mobile application development is frenetic. There are multiple platforms and operating system releases to support each year. Take a look at the version history of some of the most popular mobile apps. Many released 10 or more updates last year — and that’s on a single mobile platform! The continuous release cycle puts pressure on developers, who in turn may make mistakes in their haste.

There is no malice here, but simple mistakes such as not encrypting data at rest may expose sensitive information to malware. Organizations should adopt automated mobile application testing solutions to quickly isolate and remediate these vulnerabilities.

If the Device Is Secure, Why Protect the App?

Not all mobile applications are installed on devices with EMM solutions; many are on devices that may be insecure. Business-to-consumer (B2C) or business-to-partner (B2P) mobile apps will be on devices that an enterprise cannot manage.

Furthermore, enterprises have no control over the applications that will be installed on the same device with their corporate program. They also won’t be able to tell if a device has been rooted or jailbroken. This lack of visibility makes it imperative that the data these applications use be protected.

Protection requirements extend to the mobile application itself. Cybercriminals can easily download mobile applications. Once they have a copy of the mobile app, readily available and free tools can reverse engineer apps to uncover sensitive intellectual property.

Malicious actors also look for vulnerabilities such as unencrypted data, and there is even a risk of repackaging a mobile app with malware. They may use spear phishing attacks to direct users to bogus app stores to download valid apps packaged with malware. To avoid this risk, all mobile apps that access sensitive information or are targeted at users on unmanaged devices should be hardened against tampering.

Mobile Security Should Be a Requirement — Not an Afterthought

No organization wants to make headlines for a breached website. Why isn’t there the same level of concern and attention placed on mobile applications?

The risk from mobile malware is real. Organizations should take a practical approach to mobile security and educate users, development teams and IT operational professionals. The mobile security investment should be a function of the risk and regulatory requirements. Focusing on features at the expense of security is not a viable strategy.

Watch the on-demand webinar to learn more about Mobile Security

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…