For years, we have all been aware of PC-based malware and how it might infect and damage our computers. As a result, most of us are running antivirus software to protect against infection. Many of us have also become ultra-diligent about not opening questionable emails or clicking links that seem suspicious.

However, how many people think about their mobile device as a mini computer that is equally vulnerable to being hacked? The reality is that your mobile device is only mini in that it is physically smaller than any computer you’ve owned. In reality, it is packed with power: It has more power than the personal computers on the market just a few short years ago. These mini computers are increasingly becoming the target of mobile malware attacks. While your mobile device is a more difficult environment for cybercriminals to operate in, they are becoming more sophisticated — and successful — in their efforts to infect mobile devices.

Blurrier Lines

I’ve always prided myself on being savvy with both Internet and technology security. I’m not your average Joe or an easy mark. I don’t fall for too-good-to-be-true offers, the poorly written emails or the sketchy-looking websites. As a general rule, I can pick out a scam in a heartbeat. However, I’ve recently been looking more closely at what comes through my mobile devices and wondering whether it could be a mobile malware attack. From emails and advertisements that appear to be from online stores where I shop and offers for products that will help me with my golf game to deals on items for which I have recently shopped, it’s increasingly difficult to tell whether these offers are the result of well-designed marketing programs or whether they might actually be spam from increasingly savvy cybercriminals.

The lines are increasingly blurred, and even as an informed security solutions expert, I am no longer as confident as I once was about what I click or don’t click. Then, there are the apps I use. I only shop in the authorized app store because those apps are secure, right? Maybe not. Even for the best apps, I don’t know much about who developed the app or which security gaps might exist once I download and use it.

So, how bad is it? In December 2014, Arxan Technologies published a research report titled, “State of Mobile App Security: Apps Under Attack,” which revealed that of the top 100 paid apps, 97 percent of Android and 87 percent of Apple iOS apps have been hacked. To make things worse, it also found that 75 percent of the most popular free Apple iOS apps and 80 percent of the top free Android apps were found to have been hacked. How many of those are installed on my phone — or yours — right now?

Mobile Threats

Moreover, a recent IBM study on mobile dating apps revealed that many of them contain serious security vulnerabilities. These are apps that come from well-known companies, and most users probably never even considered that installing these apps could potentially introduce security issues.

What type of risks are we talking about? Granting access to location services is a very common request when installing an app. By allowing access to location services, you could be telling a cybercriminal where you are, where you have been and where you spend most of your time. Allowing access to your camera and photos is another possible risk. This could lead to someone sifting through your pictures, activating the camera without your knowledge and taking pictures or video. Then, there is your calendar, contacts and email and all the information they contain. What else might be available to the app and thus potentially available to a cybercriminal? Take a look at this infographic to see some of the interesting statistics and vulnerabilities within these seemingly innocuous data apps and how many people are using them.

“The State of Mobile Security Maturity,” a study from the Information Security Media Group, indicated that 30 percent of companies say device management is their focus in 2015, with application security coming in second at 25 percent. Device management tends to be about securing the device and addressing device loss or theft and the related data leakage concerns. When you think about loss and theft, they are most likely random events and may not be part of an effort to obtain company secrets. However, application security and mobile malware are different. These attacks can be targeted at specific groups, whether it be by the company, role or some other unique identifier. Often, the cybercriminal begins with a phishing attack and continues to probe until a vulnerability is located. The target could be the person who thinks, “Yeah, I would like to improve my golf game!” Before you know it, that single click results in a major loss of data. In a recent Ponemon Institute study on mobile app security, it was found that more than 11.6 million devices are infected with malware at any given time. The fact is, most of those people don’t even know they are infected. The malicious application is there, actively exploiting the device or possibly waiting for the right opportunity to surface.

In this era of bring-your-own-device (BYOD), it is not possible for companies to dictate how employees use their devices or which apps they download. That freedom underpins the whole premise behind BYOD. End users want to be able to access corporate resources and personal resources without a disruptive end user experience. They want their games and other personal apps to reside side by side with their business content, applications and access. At the same time, employees want to work anywhere from any device and capture improved productivity. If you are supporting BYOD, you absolutely must have a comprehensive strategy for mobile security.

Still think it couldn’t happen to you? Check out this short video to see the effects of what you do in public, and then think about how many times you have done the same.

More from Application Security

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…