Tips & Tricks

The Escalating Threat of Mobile Malware

Here at TrainingU we are very aware of the security risks relating to the use laptops and desktop computers.  The clients we work with are equally as aware and obviously use Firewalls and Anti-Virus software, as do we, on all of their IT equipment to minimize the risk of any security  compromise.

Their staff recognize the  importance of adhering to security rules and procedures, such as not clicking any suspicious looking hyperlinks, and how important it is to not disclose passwords or security information to any unknown or suspicious source.  This has become common practice in this modern age.
So, why don’t we do the same with mobile devices?  After all, we use them to do our online banking and shopping and access our emails, whether personal or business, and these devices are fast replacing laptops and desktops as our preferred method of browsing the web, so they are a potential target for fraudsters in the same way as any other computer system.
What a lot of people seem to forget is that a mobile device is a mini-computer and, other than having one stolen, is at risk of being  infected by Mobile Malware.  According to F-Secure,  a global leader in providing security as a service through operators, mobile malware threats have jumped 26% in the third quarter of 2013.  And, the threat is forecast to rise considerably.
This is a very worrying statistic for organisations supporting a large number of mobile devices across their work force, whether corporately issued or home-owned (BYOD), and so it’s imperative that the risk of malware infection is minimised.  So, what can we do?
Well to start with, let’s look at what Mobile Malware means.  Short for Malicious Software, it targets mobile devices and has the main objective to reproduce itself and spread to other devices in order to destroy the operating system and to leak confidential information.  Creating malware has become easier for fraudsters, with new toolkits available which simplify the process of inserting malicious code into legitimate apps, whether as worms,  Trojan/Viruses, Phishing Apps or Spyware/Adware.
Spotting if a mobile device has been attached depends on the type of infection and can range from unwanted behaviours, such as stability issues and degeneration of performance through to relaying personal information to third parties and sending premium-rate text messages.  Bank account passwords can be stolen, private information captured and phone/mobile device data deleted so, although on a personal level it can be quite disastrous, think about the impact to at a corporate level.  Yet, few organisations have a mobile device management system in place to control what employees can and can’t do with their devices, such as what they install, or if the devices are adequately locked.
Malware is generally distributed through the internet via browsers or downloaded from app stores.  There’s malware targeting every mobile platform although the main victims are Google Android users.  Out of 259 new threat families and variants discovered in Quarter 3 or 2013, 252 were Android and 7 Symbian (none were recorded on other platforms such as Blackberry, Apple’s iOS and Windows).
Why is Android more popular for Malware than any other operating system?  Well, it could be down to the Android’s popularity, with more than 1 million activations per day and holding 79.3% market share worldwide in mobile phones and tablet devices.  It could also be down to the way apps are offered and the control that vendors have over the marketplace for development and distribution of apps.  Apple do not host apps on the App Store until they have been fully vetted and so has prevented widespread malware infection of iOS users, and it doesn’t make API available to developers ensuring the operating system has fewer vulnerabilities.  Although Google introduced security measures to the Google Play store, some threats have been beyond even the scope of Google Play’s security measures.
But, don’t be fooled into thinking that other operating systems are free from risk – in 2011, a hacker pleaded guilty to stealing data from more than 100,000 iPad users!
So, if your organisation supports a number of mobile devices, what can you do to minimize the different risks to security of both the company and the individuals?

Downloading Apps

Make sure that any apps are downloaded from official stores only, such as Apple’s App Store or Google Play.  Everyone within the organisation should be made aware that apps or games can be malicious and check that, if using an Android device, the default setting of blocking the installation of apps from any other source than the Play Store is enabled.   Encourage every user to research apps before purchasing them – who’s the developer, what’s their reputation, read the reviews and end user agreements before clicking ‘Buy’.  Apps should provide you with ‘permissions’ when installing for the first time – consider if these settings are reasonable.  For example, stating that text messages will be sent from your phone via the app may not be necessary and could cause problems.

Keep device operating systems up to date

Updates of the operating system often  include security fixes which protect the device from being vulnerable to potential, new hacking attempts.

Secure the device

The risk of losing the device is still greater than the risk of being infected with malware and so it is imperative that the device is protected with a passcode, password or pattern (depending on the type).  Research shows that 10% of Apple iPhone users have a pin code of 0000 or 1234 – make it something memorable for you, but difficult for a hacker to guess.

Consider the risks of surfing over an insecure Wi-Fi network

Thought should be given to the Wi-Fi connection used to surf the net or access company data.  Wi-Fi networks are insecure and the data could be exposed to malicious users looking at the wireless traffic.  In particular, online banking and shopping should never be accessed through a public Wi-Fi connection.

Set up anti-theft protection

Most devices offer some form of anti-theft protection.  For example, the ability to remotely wipe data from the phone if you think it has been stolen and you won’t get it back.

Prevent Jail Breaking

This is the process of removing the security features from the mobile device which are imposed by the operating system vendor, so that full access to the operating system can be gained.  Jail breaking puts the mobile device at considerable risk of downloading infected or fake apps.  Ensure that everyone within the organisation knows that jail breaking is not acceptable practice.

Finally, as a company, consider putting a policy in place to protect the mobile devices, whether corporately or privately owned – this should list the suggested practices and policies in order to keep the business compliant with regulatory requirements whilst having more control over what employees can and can’t do with their devices.

To read the full report  by F-Secure into the threat of Mobile Malware, go to: