To developers, advertising frameworks may just be another way to make money from their free applications, but in at least one case -- dubbed "Vulna" by security firm FireEye -- the library has functionality that allows attackers to steal private data from a targeted phone and opens vulnerabilities that could be exploited by hackers.
The library, which FireEye has declined to name until its developer fixes the problems, underscores the dangers that mobile users and their companies will increasingly face. As smartphones and tablets become an essential part of information workers' tool sets, cybercriminals and digital spies have targeted the mobile devices to gain access to business data. Careful users who download mobile apps from well-vetted app stores are unlikely to encounter malware, but times are quickly changing, and targeted attackers will focus more heavily on mobile devices, says Manish Gupta, senior vice president of products for FireEye.
"Fundamentally, we believe that hackers have no restrictions on what they use for an infection vector -- they use what works, so mobile will be an increasing vector of choice," he says.
While malware has not become as pressing a threat on mobile devices as on personal computers, Vulna is not the only mobile vector that FireEye has found inside business networks. In another case, the company found a mobile application designed to access a device's calendar and turn on the phone's microphone during meetings, Gupta says.
To be ready for the inevitability of mobile malware, companies need to put limitations on their users, says Chet Wisniewski, senior security adviser for software security firm Sophos.
"When you allow those mobile devices to connect in, be very specific about what you are allowing them access to -- don't just throw them on the LAN with all your laptops and desktops," he says. "We have too much of a habit in our LANs to allow devices, once they are in, to access everything."
In addition, businesses should use mobile device management (MDM) software to limit users to only download apps from the major app stores. While the app stores, especially Google Play, have hosted malicious apps, Google, Apple, and others do a good job of taking down any malicious apps once they are found, Wisniewski says.
[Difficult times ahead for app markets as professional malware developers ramp their evasion techniques. See Distributing Malware Through Future App Stores.]
Companies should not stop at mobile device management either, says Patrick Foxhoven, chief technology officer of cloud-security firm Zscaler.
"If you want visibility into what apps are on the devices and what communications are coming from the devices, and you don't want to manage the device, then you need to do security through the network," he says.
Zscaler, which uses its security-proxy approach to detect malicious traffic, allows companies to avoid the sticky questions of trying to manage an employee-owned device and instead allows the business to focus on the part of the infrastructure that belongs to them: the network and the data.
Yet attackers can use encryption to get around such network-based defenses, says FireEye's Gupta. The company's virtual machine allows companies to analyze potentially malicious files and programs to catch malware. Rather than try to catch the attacks on the networks, FireEye -- which announced a new service aimed at mobile devices -- waits for the program to take a suspicious action. Companies need to find the threats, and that requires analyzing the applications that employees are downloading to their devices, he says.
In another malicious mobile app, for example, the user has to reach level 17 in a game before the malicious payload executes, says Gupta.
"You have to play the game," he says. "A static-analysis environment would not detect it, and if you are in dynamic-analysis mode, you would have to get it to execute the entire execution space."
Whichever approach a company decides to take, it should consider the question of mobile malware soon, he argues. While mobile attacks are just starting to take off, attackers will increasingly investigate the possibilities, and companies need to be prepared.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio