For years, we have all been aware of PC-based malware and how it might infect and damage our computers. As a result, most of us are running antivirus software to protect against infection. Many of us have also become ultra-diligent about not opening questionable emails or clicking links that seem suspicious.
However, how many people think about their mobile device as a mini computer that is equally vulnerable to being hacked? The reality is that your mobile device is only mini in that it is physically smaller than any computer you’ve owned. In reality, it is packed with power: It has more power than the personal computers on the market just a few short years ago. These mini computers are increasingly becoming the target of mobile malware attacks. While your mobile device is a more difficult environment for cybercriminals to operate in, they are becoming more sophisticated — and successful — in their efforts to infect mobile devices.
Blurrier Lines
I’ve always prided myself on being savvy with both Internet and technology security. I’m not your average Joe or an easy mark. I don’t fall for too-good-to-be-true offers, the poorly written emails or the sketchy-looking websites. As a general rule, I can pick out a scam in a heartbeat. However, I’ve recently been looking more closely at what comes through my mobile devices and wondering whether it could be a mobile malware attack. From emails and advertisements that appear to be from online stores where I shop and offers for products that will help me with my golf game to deals on items for which I have recently shopped, it’s increasingly difficult to tell whether these offers are the result of well-designed marketing programs or whether they might actually be spam from increasingly savvy cybercriminals.
The lines are increasingly blurred, and even as an informed security solutions expert, I am no longer as confident as I once was about what I click or don’t click. Then, there are the apps I use. I only shop in the authorized app store because those apps are secure, right? Maybe not. Even for the best apps, I don’t know much about who developed the app or which security gaps might exist once I download and use it.
So, how bad is it? In December 2014, Arxan Technologies published a research report titled, “State of Mobile App Security: Apps Under Attack,” which revealed that of the top 100 paid apps, 97 percent of Android and 87 percent of Apple iOS apps have been hacked. To make things worse, it also found that 75 percent of the most popular free Apple iOS apps and 80 percent of the top free Android apps were found to have been hacked. How many of those are installed on my phone — or yours — right now?
Mobile Threats
Moreover, a recent IBM study on mobile dating apps revealed that many of them contain serious security vulnerabilities. These are apps that come from well-known companies, and most users probably never even considered that installing these apps could potentially introduce security issues.
What type of risks are we talking about? Granting access to location services is a very common request when installing an app. By allowing access to location services, you could be telling a cybercriminal where you are, where you have been and where you spend most of your time. Allowing access to your camera and photos is another possible risk. This could lead to someone sifting through your pictures, activating the camera without your knowledge and taking pictures or video. Then, there is your calendar, contacts and email and all the information they contain. What else might be available to the app and thus potentially available to a cybercriminal? Take a look at this infographic to see some of the interesting statistics and vulnerabilities within these seemingly innocuous data apps and how many people are using them.
“The State of Mobile Security Maturity,” a study from the Information Security Media Group, indicated that 30 percent of companies say device management is their focus in 2015, with application security coming in second at 25 percent. Device management tends to be about securing the device and addressing device loss or theft and the related data leakage concerns. When you think about loss and theft, they are most likely random events and may not be part of an effort to obtain company secrets. However, application security and mobile malware are different. These attacks can be targeted at specific groups, whether it be by the company, role or some other unique identifier. Often, the cybercriminal begins with a phishing attack and continues to probe until a vulnerability is located. The target could be the person who thinks, “Yeah, I would like to improve my golf game!” Before you know it, that single click results in a major loss of data. In a recent Ponemon Institute study on mobile app security, it was found that more than 11.6 million devices are infected with malware at any given time. The fact is, most of those people don’t even know they are infected. The malicious application is there, actively exploiting the device or possibly waiting for the right opportunity to surface.
In this era of bring-your-own-device (BYOD), it is not possible for companies to dictate how employees use their devices or which apps they download. That freedom underpins the whole premise behind BYOD. End users want to be able to access corporate resources and personal resources without a disruptive end user experience. They want their games and other personal apps to reside side by side with their business content, applications and access. At the same time, employees want to work anywhere from any device and capture improved productivity. If you are supporting BYOD, you absolutely must have a comprehensive strategy for mobile security.
Still think it couldn’t happen to you? Check out this short video to see the effects of what you do in public, and then think about how many times you have done the same.
https://www.youtube.com/watch?v=nG36lKhy7ko
Market Segment Manager, Mobile Security, IBM