A rising tide of sophisticated mobile malware threats

Much has been said and predicted about mobile security and the growing threat landscape. However, one thing beyond question is that mobile malware is maturing, placing it on par with threats faced by traditional computing.

The many types of mobile malware

Threats that have been typically associated with the PC environment are now evident in the mobile sphere.

Remote access tools aimed at both desktop PCs and mobile operating systems are becoming increasingly common and sophisticated. Many are being sold complete with detailed instructions on how to use them and offer different pricing models, some even for free.

And the most malign type of malware, ransomware, which locks users out of their device until the bribe is paid, is often wrapped up with a nebulous threat to scare victims into coughing up. Over the past year alone Google Play has pulled hundreds of apps from its store for security reasons, often malware infections.

In short, mobile malware is here to stay and it’s only going to become more widespread.

No device is safe

The once impenetrable proprietary iOS has also become a target. Apple has pulled apps from its store mainly because of aggressive adware but iOS specific malware variants have also been detected such as YiSpector, KeyRaider, and XcodeGhost. In 2015, the US government’s National Vulnerability Database reported 375 Apple iOS vulnerabilities.

It’s potentially devastating because at a general level many organisations are still grappling with desktop PC security much less mobile devices. According to the US Identity Theft Resource Center’s Data Breach report 2014 was an all-time high for data breaches, pipping 2015 by just two incidents. But to put this in context in 2015 over 169 million personal records were compromised as the result of hacks. For sure, these are only the US figures but it does provide a sense of scale on just how widespread the problem is. And it’s worth reiterating that this was the result of PC and server breaches.

New threats, old approach

The threat landscape has been allowed to grow exponentially in parallel with technology advancements over the last 25 years. However, our research indicates that enterprise security practices are unchanged in the face of rising mobile threats.

For instance, many enterprises are addressing personal cloud storage data loss risks by blacklisting consumer file-and-sync-sharing apps. But this is like playing whack-a-mole given that so many of these apps and services are available. In short, a blacklist policy will never catch them all.

What is required is a next-generation enterprise mobility management approach. For instance, rather than attempt to blacklist an ever-increasing number of personal cloud storage apps, it makes more sense to adopt an approach which is based on whitelisting what enterprise data can be disseminated to these apps.

That said, only a small number of enterprises are adopting this approach.

Set against this are further figures showing that, as of December 2015, one in 10 enterprises have at least one compromised mobile device and this figure is consistently trending upwards.

Next-generation protection

Next-generation enterprise mobility management is essentially a raft of tools that identify and manage device risks, covering the whole security gamut from compromised devices to patching and policy enforcement. This approach has the benefit of allowing organisations to also enforce compliance policies, quarantine devices that fall out-of-compliance, and also ensure that OS updates are enforced on all managed devices.

Time to get real

It’s a dangerous scenario. We’re used to seeing large data hacks in the desktop computing environment and we all know how potentially devastating these attacks can be, with the effects ranging from CEOs falling on their sword to plummeting share prices, loss of trust, reputational damage, fines and lower revenues. However, if organisations persist in adopting an ‘old-world’ security approach to the mobile landscape, we can expect to see a spate of deeply damaging attacks. The irony is that it doesn’t have to be like this; tools and technologies exist that can provide robust defences against mobile-focused attacks.

Sean Ginevan, Senior Director of Strategy, MobileIron

Photo Credit: fatmawati achmad zaenuri/Shutterstock