Mobile Malware: 4 Biggest Myths and How to Stay Safe Mobile Malware: 4 Biggest Myths and How to Stay Safe

Mobile Malware: 4 Biggest Myths and How to Stay Safe

by Calyptix, April 8, 2016

1-mobile-malware-dynamiteMobile malware is not your top security concern. But should it be? Probably not.

But believe this: smartphone malware is real

Viruses on Android and iOS are growing more common and dangerous. The days when you could blindly assume that a user’s smartphone was clean might be over.

Don’t think so? Read the four myths of mobile malware below.

Myth #1. Mobile malware is a problem only on Android

The overwhelming majority of smartphone malware is on Android. It’s far less common on Apple devices.

That’s why many people believe owning an iPhone and sticking to the App Store is enough to protect them. This is a myth.

The App Store was considered free of widespread malware – until last year.

In the second half of 2015, for the first time, two strains of iOS malware made it onto Nokia’s top 20 list of smartphone malware.

1-nokia-top-20-mobile-malware

As you can see above, the threat of iPhone and iPad malware is real, but Android malware remains far more common.

Android apps are also more likely to behave recklessly.

For example, in an analysis of more than 315,000 apps, 11% of Android apps showed “high risk” behaviors, such as executing commands outside the sandbox and changing device configuration, compared to a tiny 0.2% of iOS apps, according to the Appthority Enterprise Mobile Threat Report Q1 2016.

2-android-ios-malware-high-risk

Appthority also reviewed the 150 most common enterprise mobile apps. A jaw dropping 100% of the Android apps showed data leakage and privacy invasive behavior, according to the report.

The point: Android apps tend to have more security risks than iOS apps, but iPhone users are no longer immune to the threat of a smartphone virus.

Myth #2. Mobile malware is only a problem with 3rd-party apps

Google Play and Apple’s App Store are the official sources of apps for their platforms. Apps from other sources tend to be riskier and more likely to behave like malware. But the official stores are not perfect.

Google Play has had malware problems for years and continues to do so.

3-xcodeghost-ios-malwareApple’s App Store had its first-ever widespread malware attack in September. Called XcodeGhost, the threat is a compromised version Apple’s app development kit Xcode, which is used to make thousands of legitimate apps every year.

By tricking developers to use the hacked Xcode, the attackers infected hundreds of apps (some say it was more than more than 4,000) that were approved and made available in the App Store.

“Many of these apps had millions of installs,” according to Appthority’s mobile threat report.

XcodeGhost was just the first of several threats discovered in the App Store last year. YouMi, a third-party advertising development kit used by legitimate apps, was found in October to be collecting users’ personal information. Then in November, another advertising kit, later dubbed iBackdoor, was found.

Android is having similar problems. Just last week, Russian security researchers discovered a mobile trojan hidden in 100+ apps in the Google Play Store. It has been downloaded more than 3 million times, according to International Business Times.

Some smartphone viruses does not require the user to download and install an app. For example, strains have spread via SMS spam disguised as a mail-tracking notices. Clicking a link in the SMS message led to infection, according to SC Magazine.

In short: the official app stores are the best source of mobile apps, but they are not free of malware. Infections can also occur outside of app downloads.

Myth #3. Mobile malware is mostly harmless

4-cute-puppy-trapMuch of mobile malware can be classified as “adware,” or unwanted software that aggressively delivers ads and notifications. Adware also tends to collect data about victims without their consent.

Since mobile malware is typically less dangerous and less common than PC malware, some believe it’s hardly at threat at all.

For example, according to Verizon’s 2015 Data Breach Investigations Report, if occurrences of “low-grade” malware (such as adware) are removed from its research data, then the number of infected mobile devices drops to a measly 0.03%. That’s 3 smartphones out of every 10,000.

Well, that’s not so bad, right? Not exactly.

Verizon’s report – though authoritative – is based on 2014 data. The threat of dangerous mobile malware remains small in 2016, but more recent research suggests it is rising.

For example, look at the most common types of mobile malware shown in this chart from Nokia’s Threat Intelligence Report H2 2015:

3-nokia-mobile-malware-top-types

As you can see, data theft, spying, and command-and-control are far more common than petty aggressive advertising. And these are not behaviors you want to see in your user’s smartphone.

Data loss that is limited to a single smartphone virus may not seem dangerous, but consider spear-phishing campaigns.

The details gleaned from a mobile malware infection, such as a person’s schedule and recent emails, can be used to color an email with convincing details. One click and the user’s workstation (and the company’s network) are infected.

Ransomware – the nasty malware that encrypts a victim’s data and holds it hostage – is also on the rise in mobile.

Kaspersky saw a 5x increase in mobile ransomware attacks last year. Thankfully, the Nokia report suggests that many of these infections can be removed and that they do not actually encrypt the victim’s data.

Myth #4. The rise of mobile malware is years away

The threat of mobile malware remains small, but it is growing rapidly, even exponentially depending on who you ask. The rise has begun.

Several companies tracked huge jumps last year:

  • New Android malware grew 342% in 2015, according to Nokia (see chart below)

4-nokia-mobile-malware-volume-2015

Nokia also found that smartphones account for 60% of infections on mobile networks. Many other infections are on PCs that use the mobile network through a dongle or tether.

PC malware is a far greater problem than mobile malware, but malicious code on tiny devices will continue to grow in size and capability in the months ahead.

How to avoid mobile malware

If you’re an IT provider or a network admin, education will be your best weapon to combat this threat. Give a few tips to your users:

  • Always update the operating system and apps when a patch is available
  • Ignore download suggestions; if you’re not looking for an app, don’t install it
  • Uninstall apps that you do not need or no longer use
  • Only download apps from trusted sources ( i.e. Google Play and Apple’s App Store)
  • Do not root or jailbreak a device
  • Consider installing a security app with anti-virus and other security features
  • Never click links in suspicious SMS messages, emails, websites or ads

Of course, you should also separate your high-value assets from untrusted devices (such as employee smartphones) on your network with segmentation. Also set and enforce BYOD policies, and use outbound filtering to block connections to malicious hosts.

 

how-to-avoid-ransomware-report-CTA

 

Related resources

3 Simple Rules to Stop Malware

Mobile VPN in AccessEnforcer from Calyptix

Appthority Mobile Threat Report Q1 2016

Nokia Threat Intelligence Report 2H 2015 (pdf)

2016 Predictions for Small Business Cyber Security (Part 1 of 2)

Verizon Data Breach Report 2015: Top 10 Charts and Summary

2 Comments


    • Don
      Reply Cancel Reply
    • April 19, 2016

    Please add social share buttons to your blog. I know several people I'd like to share this with.

      • Adam Sutton
        Reply Cancel Reply
      • April 19, 2016

      Hi Don -- You should be able to use the sharing buttons that are just above the comments section, under "Share this post". Let me know if you still have trouble.

Leave a Reply

Your email address will not be published Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*