Vulnerabilities / Threats
10/8/2012
02:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Does Mobile Antivirus Software Really Protect Smartphones?

Bad news: Many mobile antivirus apps are useless. Here's what mobile device management and mobile application management experts say you should focus on instead.

October is National Security Month and with good reason: Even a cursory glance at recent technology headlines reveals no shortage of malware threats, with the mobile space--and especially the Android OS--drawing particular attention.

BYOD policies have positioned these risks as significant enterprise concerns. Much has been written about mobile device management (MDM) and mobile application management (MAM) tools, and how these products can insulate businesses against data theft. Even so, because MAM/MDM is a nascent industry, it's natural to wonder whether antivirus is a crucial part of the puzzle, and whether standalone antivirus tools provide legitimate protection.

Recent tests conducted by AV-Comparatives, AV-TEST, and PC Security Labs found that many products failed to protect against malicious programs, but a few standouts achieved virtually perfect detection rates. Case closed? Not exactly.

Savid Technologies CEO Mike Davis said in an interview that many mobile antivirus applications are mired in signature-based tracking, the antiquated method PC vendors used a decade ago, rather than behavioral analysis, a more modern approach that looks at the actions a program attempts to execute, not predefined identifiers in the code. Mobile antivirus products that rely on signatures can be adept at spotting known threats--but if a device downloads a new virus, the security breach might go undetected until damage is already done.

[ Learn more about mobile threats. See Android Warning: 50% Of Devices Need Patching. ]

Davis said vendors are not necessarily to blame because mobile operating systems aren't designed to accommodate behavior-based malware tracking. "There is no root administrative user," he stated, "so the AV doesn't have the full control" it needs for such analysis to occur.

Gartner research VP Peter Firstbrook cautioned in an interview that even if behavior-based, or heuristic, scans were ubiquitous on smartphones and tablets, such methods "haven't stemmed the tide" of viruses on PCs and thus wouldn't render mobile devices unassailable. Behavioral analysis often falters, he said, because "the behavior of a bad application or a good application is a matter of opinion," meaning that a program might be useful when it executes its intended function but malicious if it starts exporting information to an unauthorized third party. To illustrate, he mentioned instant message programs that use keystroke monitors to let users know when their chat counterparts are typing. Such programs exemplify "legitimate APIs and system calls" that can go awry, he explained.

Because of this difficulty, Firstbrook said the selection of a mobile operating system outranks security software when it comes to fending off malware. He said iOS is safer than Android, for example, because "somebody approves every app that it runs," turning the platform into "essentially a closed system" that is more difficult for hackers to penetrate.

He asserted the key iOS security challenges for enterprises involve password protection, encryption, remote wiping, and other MDM/ MAM concerns, as stolen data results primarily from lost devices, not viruses. For Android-based devices, Firstbrook stated that the situation is somewhat different because more users procure apps from illegitimate markets. Indeed, a recent Arxan study found that nearly every popular app on Android has been hacked, illustrating how crucial it is that users use sanctioned sources such as Google Play. The study also found most iOS apps have been hacked, but this fact is somewhat mitigated because iPhone and iPad users are less prone to unofficial markets.

Even the legitimate app markets might not be sufficient, however, according to Jon Clay, senior manager of core technology marketing for security vendor Trend Micro. He stated in an interview that criminals rely primarily on third-party app stores to propagate their schemes but that "quite a few malicious apps" have still infiltrated Google Play. He noted that Google Bouncer is a good step for the Android ecosystem but that it hasn't expurgated threats entirely.

Many businesses consequently "try to stay away from Android," according to Firstbrook. He suggested that this reluctance explains developers' preference for Apple's mobile OS, despite Android's larger user base.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!