As recently as a year ago, if you asked security, operations and development teams whether the risk from mobile malware was real, you received a mixed response. If you ask the same question today, there is universal agreement that the malware risk is real and growing.

A quick search on mobile malware risk provides countless pointers to both vendor and analyst reports highlighting the growth in this industry. So why have perceptions changed over a short period time?

Mobile Malware Comes of Age

One of the key contributors to the threat from mobile malware is the proliferation of applications that conduct real business using access-sensitive and confidential information. Typical users may have banking, credit card, hotel, airline and corporate applications installed on their mobile devices. This access is secured, at minimum, with username and password controls.

Cybercriminals are practical actors; they follow the money. They are turning their focus and attention to the mobile platform because of the growth in mobile devices coupled with the opportunity to harvest a wealth of information from each device. Unlike work desktops and laptops, which typically contain only job-related information, mobile devices often combine work and personal information and applications.

Watch the on-demand Webinar: 3 Thing You Should Know About Mobile Security

Take a Practical Approach to Mobile Security

The weakest link in security is the user. Cybercriminals are now using attacks and techniques initially targeted at desktop users in the mobile channel. They are experts at social engineering and are executing targeted spear phishing attacks.

Common targets include executives in hopes of stealing usernames and passwords to access valuable confidential information. However, no one is immune. Enterprises should invest in basic mobile security awareness and training for all employees. Best practices include mandating that mobile apps can only be downloaded from public app stores such as the Apple AppStore or Google Play.

There are also popular best practices if your organization has adopted an enterprise mobility management (EMM) solution. Organizations can enforce their own mobile security best practices on mobile devices they manage. This includes requiring a strong device passcode and ensuring devices are running authorized versions of operating systems.

Market-leading solutions also offer advanced mobile threat management capabilities that can detect mobile malware and automatically take corrective action to protect corporate information. Tight integration with other security products such as identity and access management solutions is also an important consideration.

Do All Mobile Applications Require Security Controls?

Organizations need to identify the mobile apps that require additional security measures. Not all mobile applications necessitate the same level of security testing and protection. For example, a business-to-employee (B2E) conference room reservation app may not need stringent security controls.

However, all apps that access sensitive information should be built securely and protected once they are released. Some apps support businesses and consumers in regulated industries such as health care, where patient information must be kept private. Organizations should take a pragmatic approach to mobile application security and prioritize the most sensitive apps.

The pace of mobile application development is frenetic. There are multiple platforms and operating system releases to support each year. Take a look at the version history of some of the most popular mobile apps. Many released 10 or more updates last year — and that’s on a single mobile platform! The continuous release cycle puts pressure on developers, who in turn may make mistakes in their haste.

There is no malice here, but simple mistakes such as not encrypting data at rest may expose sensitive information to malware. Organizations should adopt automated mobile application testing solutions to quickly isolate and remediate these vulnerabilities.

If the Device Is Secure, Why Protect the App?

Not all mobile applications are installed on devices with EMM solutions; many are on devices that may be insecure. Business-to-consumer (B2C) or business-to-partner (B2P) mobile apps will be on devices that an enterprise cannot manage.

Furthermore, enterprises have no control over the applications that will be installed on the same device with their corporate program. They also won’t be able to tell if a device has been rooted or jailbroken. This lack of visibility makes it imperative that the data these applications use be protected.

Protection requirements extend to the mobile application itself. Cybercriminals can easily download mobile applications. Once they have a copy of the mobile app, readily available and free tools can reverse engineer apps to uncover sensitive intellectual property.

Malicious actors also look for vulnerabilities such as unencrypted data, and there is even a risk of repackaging a mobile app with malware. They may use spear phishing attacks to direct users to bogus app stores to download valid apps packaged with malware. To avoid this risk, all mobile apps that access sensitive information or are targeted at users on unmanaged devices should be hardened against tampering.

Mobile Security Should Be a Requirement — Not an Afterthought

No organization wants to make headlines for a breached website. Why isn’t there the same level of concern and attention placed on mobile applications?

The risk from mobile malware is real. Organizations should take a practical approach to mobile security and educate users, development teams and IT operational professionals. The mobile security investment should be a function of the risk and regulatory requirements. Focusing on features at the expense of security is not a viable strategy.

Watch the on-demand webinar to learn more about Mobile Security

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…