Vulnerabilities / Threats
08:23 PM
Connect Directly

Companies Need Defenses Against Mobile Malware

While infection rates -- at least in the U.S. -- remain low, cybercriminals are writing more malware for Android, Symbian, and other platforms. At some point, they'll find the right recipe for profit

With the past month's parade of quarterly threat reports, one pattern seems clear: Mobile malware is on the rise.

In a report released late October, security firm Trend Micro found 175,000 different malicious and suspicious packages targeting the Android operating system by the end of the third quarter, a fivefold increase over the previous quarter. Antivirus firm F-Secure saw a similar jump, finding more than 50,000 malware packages targeting Android mobile devices in the third quarter, a tenfold increase compared to the prior quarter.

Yet while mobile malware has become a problem in a few countries, such as Russia and China, overall infection rates are low. In the U.S., for example, multiple reports by network-monitoring researchers have found less than 1 percent of devices infected with malware.

"We are seeing a big sample increase, but not a huge increase, in malware families," says Sean Sullivan, security adviser for F-Secure. "What we are seeing is more of a spam approach on the front end [in the app stores], but we see less activity in terms of infections."

The apparent paradox of massive increases in malware but only infrequent infections is, in part, due to the problems that cybercriminals have in monetizing compromised smartphones and tablets. Most cybercriminals have turned to toll fraud to convert their control of a mobile device into a paycheck. By sending out premium SMS messages to an attacker-owned service, the criminals are able to collect money from the user's phone. However, because premium SMS messages are not a popular way to pay for services in the U.S., the scams are less successful.

For enterprise security managers, the statistics offer a confusing picture of the threat landscape. With the bring-your-own-device trend in full swing -- one survey found that the average mobile worker carries three devices, and then some -- companies need to find ways to benefit from the productivity boost that comes with allowing workers to use their own devices, but without compromising security.

While malware needs to be a focus in the future, current corporate priorities for mobile devices remain essentially unchanged, says Kevin McNamee, security architect of Kindsight, a network security firm.

"The highest priority for the enterprise is that people have company data on their phones -- their contact lists, PowerPoint presentations -- so when the phone is lost, they have to worry about the corporate data being lost," he says.

Yet for most U.S.-based companies with thousands -- or even hundreds -- of employees, mobile malware will likely be carried inside their network sometime in the next year. Juniper Networks, which developed software to help companies manage and secure their employees' smartphones, typically detects malware on 2 to 3 percent of a client company's smartphones each year, says Daniel Hoffman, chief mobile security evangelist for the company.

"Spyware is by far the biggest category of infections that we see," Hoffman says. Rogue spyware -- as opposed to the kind that can be purchased online to, perhaps, legally monitor a person's cell phone usage -- makes up the lion's share of what Juniper detects. Fake installers, which wrap legitimate software in a malicious installer, are an increasingly popular tactic, while trojans that use SMS to sign users up for premium services are the third most popular type of malware detected in corporate networks, according to Juniper.

[A spate of research into mobile devices as sensor platforms has shown that compromised smartphones can be turned into insiders -- eavesdropping on phone calls, 'shoulder-surfing' for passwords, or looking around an office. See Mobile Trojans Can Give Attackers An Inside Look.]

Up-and-coming threats include many that security firms have found on PCs: scareware that attempts to convince victims that they must pay a fee to clean off their phones, bot-like programs that turn the phone into a text-message spam machine, and banking trojans that attempt to steal a victim's username and password to transfer money.

But targeted attacks on companies should also be a worry, Kindsight's McNamee says. The fact that phones constantly travel between untrusted networks on the outside of a company and back inside the corporate network makes them valuable to attackers as a conduit to sensitive data. Developing policies to prevent devices from being used as a way into the company's trusted network is important, he says.

"If you are in enterprise security and are worried about the phones that your employees are bringing to work, you have to look a year or so down the road to see what threats are going to be on the landscape," he said.

And mobile malware should be near the top of the list, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/10/2012 | 5:39:48 AM
re: Companies Need Defenses Against Mobile Malware
Mobile malware should be a huge concern for businesses and individuals today, and the fact that so many continue to "ignore" this threat is because a lot of big players in the mobile industry - like mobile ad networks - haven't done a diligent job of putting proper safeguards in place. I will praise Airpush for taking a positive step toward cracking down on mobile malware through its new partnership with Appthority. This should set a standard for others to follow -
User Rank: Apprentice
11/9/2012 | 7:30:32 PM
re: Companies Need Defenses Against Mobile Malware
This sounds a little like the beginning days of threats on PCs, where there was a lot of activity, but the actual impact was minimal in comparison. I wonder whether all of these phones-as-mobile-wallet activities will provide that monetary payback (I mean that in a bad way, of course).-
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.