Mobile malware is not your top security concern. But should it be? Probably not.
But believe this: smartphone malware is real
Viruses on Android and iOS are growing more common and dangerous. The days when you could blindly assume that a user’s smartphone was clean might be over.
Don’t think so? Read the four myths of mobile malware below.
Myth #1. Mobile malware is a problem only on Android
The overwhelming majority of smartphone malware is on Android. It’s far less common on Apple devices.
That’s why many people believe owning an iPhone and sticking to the App Store is enough to protect them. This is a myth.
The App Store was considered free of widespread malware – until last year.
In the second half of 2015, for the first time, two strains of iOS malware made it onto Nokia’s top 20 list of smartphone malware.
As you can see above, the threat of iPhone and iPad malware is real, but Android malware remains far more common.
Android apps are also more likely to behave recklessly.
For example, in an analysis of more than 315,000 apps, 11% of Android apps showed “high risk” behaviors, such as executing commands outside the sandbox and changing device configuration, compared to a tiny 0.2% of iOS apps, according to the Appthority Enterprise Mobile Threat Report Q1 2016.
Appthority also reviewed the 150 most common enterprise mobile apps. A jaw dropping 100% of the Android apps showed data leakage and privacy invasive behavior, according to the report.
The point: Android apps tend to have more security risks than iOS apps, but iPhone users are no longer immune to the threat of a smartphone virus.
Myth #2. Mobile malware is only a problem with 3rd-party apps
Google Play and Apple’s App Store are the official sources of apps for their platforms. Apps from other sources tend to be riskier and more likely to behave like malware. But the official stores are not perfect.
Apple’s App Store had its first-ever widespread malware attack in September. Called XcodeGhost, the threat is a compromised version Apple’s app development kit Xcode, which is used to make thousands of legitimate apps every year.
By tricking developers to use the hacked Xcode, the attackers infected hundreds of apps (some say it was more than more than 4,000) that were approved and made available in the App Store.
“Many of these apps had millions of installs,” according to Appthority’s mobile threat report.
XcodeGhost was just the first of several threats discovered in the App Store last year. YouMi, a third-party advertising development kit used by legitimate apps, was found in October to be collecting users’ personal information. Then in November, another advertising kit, later dubbed iBackdoor, was found.
Android is having similar problems. Just last week, Russian security researchers discovered a mobile trojan hidden in 100+ apps in the Google Play Store. It has been downloaded more than 3 million times, according to International Business Times.
Some smartphone viruses does not require the user to download and install an app. For example, strains have spread via SMS spam disguised as a mail-tracking notices. Clicking a link in the SMS message led to infection, according to SC Magazine.
In short: the official app stores are the best source of mobile apps, but they are not free of malware. Infections can also occur outside of app downloads.
Myth #3. Mobile malware is mostly harmless
Much of mobile malware can be classified as “adware,” or unwanted software that aggressively delivers ads and notifications. Adware also tends to collect data about victims without their consent.
Since mobile malware is typically less dangerous and less common than PC malware, some believe it’s hardly at threat at all.
For example, according to Verizon’s 2015 Data Breach Investigations Report, if occurrences of “low-grade” malware (such as adware) are removed from its research data, then the number of infected mobile devices drops to a measly 0.03%. That’s 3 smartphones out of every 10,000.
Well, that’s not so bad, right? Not exactly.
Verizon’s report – though authoritative – is based on 2014 data. The threat of dangerous mobile malware remains small in 2016, but more recent research suggests it is rising.
For example, look at the most common types of mobile malware shown in this chart from Nokia’s Threat Intelligence Report H2 2015:
As you can see, data theft, spying, and command-and-control are far more common than petty aggressive advertising. And these are not behaviors you want to see in your user’s smartphone.
Data loss that is limited to a single smartphone virus may not seem dangerous, but consider spear-phishing campaigns.
The details gleaned from a mobile malware infection, such as a person’s schedule and recent emails, can be used to color an email with convincing details. One click and the user’s workstation (and the company’s network) are infected.
Ransomware – the nasty malware that encrypts a victim’s data and holds it hostage – is also on the rise in mobile.
Kaspersky saw a 5x increase in mobile ransomware attacks last year. Thankfully, the Nokia report suggests that many of these infections can be removed and that they do not actually encrypt the victim’s data.
Myth #4. The rise of mobile malware is years away
The threat of mobile malware remains small, but it is growing rapidly, even exponentially depending on who you ask. The rise has begun.
Several companies tracked huge jumps last year:
- New mobile malware overall tripled in 2015, according to Kaspersky
- New Android malware grew 342% in 2015, according to Nokia (see chart below)
Nokia also found that smartphones account for 60% of infections on mobile networks. Many other infections are on PCs that use the mobile network through a dongle or tether.
PC malware is a far greater problem than mobile malware, but malicious code on tiny devices will continue to grow in size and capability in the months ahead.
How to avoid mobile malware
If you’re an IT provider or a network admin, education will be your best weapon to combat this threat. Give a few tips to your users:
- Always update the operating system and apps when a patch is available
- Ignore download suggestions; if you’re not looking for an app, don’t install it
- Uninstall apps that you do not need or no longer use
- Only download apps from trusted sources ( i.e. Google Play and Apple’s App Store)
- Do not root or jailbreak a device
- Consider installing a security app with anti-virus and other security features
- Never click links in suspicious SMS messages, emails, websites or ads
Of course, you should also separate your high-value assets from untrusted devices (such as employee smartphones) on your network with segmentation. Also set and enforce BYOD policies, and use outbound filtering to block connections to malicious hosts.