Vulnerabilities / Threats
10/8/2012
02:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Does Mobile Antivirus Software Really Protect Smartphones?

Bad news: Many mobile antivirus apps are useless. Here's what mobile device management and mobile application management experts say you should focus on instead.

October is National Security Month and with good reason: Even a cursory glance at recent technology headlines reveals no shortage of malware threats, with the mobile space--and especially the Android OS--drawing particular attention.

BYOD policies have positioned these risks as significant enterprise concerns. Much has been written about mobile device management (MDM) and mobile application management (MAM) tools, and how these products can insulate businesses against data theft. Even so, because MAM/MDM is a nascent industry, it's natural to wonder whether antivirus is a crucial part of the puzzle, and whether standalone antivirus tools provide legitimate protection.

Recent tests conducted by AV-Comparatives, AV-TEST, and PC Security Labs found that many products failed to protect against malicious programs, but a few standouts achieved virtually perfect detection rates. Case closed? Not exactly.

Savid Technologies CEO Mike Davis said in an interview that many mobile antivirus applications are mired in signature-based tracking, the antiquated method PC vendors used a decade ago, rather than behavioral analysis, a more modern approach that looks at the actions a program attempts to execute, not predefined identifiers in the code. Mobile antivirus products that rely on signatures can be adept at spotting known threats--but if a device downloads a new virus, the security breach might go undetected until damage is already done.

[ Learn more about mobile threats. See Android Warning: 50% Of Devices Need Patching. ]

Davis said vendors are not necessarily to blame because mobile operating systems aren't designed to accommodate behavior-based malware tracking. "There is no root administrative user," he stated, "so the AV doesn't have the full control" it needs for such analysis to occur.

Gartner research VP Peter Firstbrook cautioned in an interview that even if behavior-based, or heuristic, scans were ubiquitous on smartphones and tablets, such methods "haven't stemmed the tide" of viruses on PCs and thus wouldn't render mobile devices unassailable. Behavioral analysis often falters, he said, because "the behavior of a bad application or a good application is a matter of opinion," meaning that a program might be useful when it executes its intended function but malicious if it starts exporting information to an unauthorized third party. To illustrate, he mentioned instant message programs that use keystroke monitors to let users know when their chat counterparts are typing. Such programs exemplify "legitimate APIs and system calls" that can go awry, he explained.

Because of this difficulty, Firstbrook said the selection of a mobile operating system outranks security software when it comes to fending off malware. He said iOS is safer than Android, for example, because "somebody approves every app that it runs," turning the platform into "essentially a closed system" that is more difficult for hackers to penetrate.

He asserted the key iOS security challenges for enterprises involve password protection, encryption, remote wiping, and other MDM/ MAM concerns, as stolen data results primarily from lost devices, not viruses. For Android-based devices, Firstbrook stated that the situation is somewhat different because more users procure apps from illegitimate markets. Indeed, a recent Arxan study found that nearly every popular app on Android has been hacked, illustrating how crucial it is that users use sanctioned sources such as Google Play. The study also found most iOS apps have been hacked, but this fact is somewhat mitigated because iPhone and iPad users are less prone to unofficial markets.

Even the legitimate app markets might not be sufficient, however, according to Jon Clay, senior manager of core technology marketing for security vendor Trend Micro. He stated in an interview that criminals rely primarily on third-party app stores to propagate their schemes but that "quite a few malicious apps" have still infiltrated Google Play. He noted that Google Bouncer is a good step for the Android ecosystem but that it hasn't expurgated threats entirely.

Many businesses consequently "try to stay away from Android," according to Firstbrook. He suggested that this reluctance explains developers' preference for Apple's mobile OS, despite Android's larger user base.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio