Over the course of 10 years, Grayson Milbourne has watched the evolution of cyber threats move from the PC environment to the hands of near billions of mobile users. The director of security intelligence for Webroot says, “This is largely driven by user behavior—we are using our mobile devices much more than our traditional desktop environments. That’s definitely noticed by the cybercrime community and it follows the user activity.”
Apps everywhere for everything have been the driver of the massive increase in utilization of smartphones on the personal side, changing the behavior, expectations and confidence of the user. With more apps for banking, shopping, social media and communication, for example, the amount of information hackers can gain has also increased. All these devices are then being brought to work, compounding the risk for the enterprise.
Webroot’s 2014 Mobile Threat Report, analyzes more than 7.8 million mobile apps and the data for the reports are derived from its internal mobile threat analytics process, according to Milbourne. He says the first mobile malicious apps were discovered in 2010, and, year-over-year there has been triple to quadruple digit growth in new ones.
The Webroot Mobile App Reputation Service categorizes mobile apps into six risk-based groups; malicious, unwanted, suspicious, moderate, benign and trustworthy. Experts generally agree that Apple has done a better job of protecting users with its tighter control over the app publishing process, whereas Android is much more open.
Milbourne says, “It’s very simple to install an app from any source other than Google Play, which has ultimately led to a larger, exploitable surface area for distribution of apps for Android.” This was evident in the report which found 38% of Android apps benign versus 92% of iOS.
Even trusted sites may prove futile, however, as he explains there has been an emergence of “remote access Trojan tool kits.” Using this kit, malicious code can be binded on to the trusted “benign” app, which turns it into trouble.
Detecting and removing malicious apps is essential to any mobile security solution; however, taking steps to understand the fine details and granular nature of the attacks is key to preventing future breaches, states the report.
Looking back to the days of computer viruses, their initial purpose was to cause havoc, but users were frequently able to realize when their machine was compromised—slow performance, bizarre pop ups, the dreaded blue screen etc.
“That mentality has changed,” Milbourne says, “since the realization that there is a lot of money to be made.” Plus, on a smartphone the user is likely to be unaware if the device is infected as most of the malicious apps today are designed that way.
For example, there won’t be an app icon in the application tray, so the app runs as a service listening in the background. Milbourne says that the types of threats seen in hacking mobile devices are targeted to what type of data they are capable of collecting.
Cyber criminals also target times when the user might be asleep, and try to build a pattern for when the device is plugged in or not plugged and when usage is high or low. The malicious app seeks to exploit the downtime to perform the malicious activity. This method of avoidance from detection is common, according to Milbourne.
So what should a user do? Whose responsibility is it to protect data? The manufacturers? The app developers? The users? The enterprise? All play a key role, according to Milbourne but he cautions that users need to understand there are risks involved anytime a new app is installed. Plus, attacks can function through web browsers, so anti-virus protection should be installed on the device—again, like the days of the PC.
From a business perspective, “The big problem within the enterprise today, is that employees are bringing their own devices to the office, and then connecting them to corporate infrastructure. And this is often being done without the standard security that is applied to any corporate owned device,” he points out.
Consumer-grade apps that are less trustworthy are, of course, also coming with the devices and IT may not even be aware. “Corporate data that is on the device might be leaked to some third-party—this is a big threat. It is this lack of control that is ultimately very concerning to enterprises,” says Milbourne.
He believes it’s just a matter of time before a big breach is tied back to a C-level executive’s device, which happened to be infected and had the widest access to corporate information and the network. Milbourne says, “This foot in the door will lead to a larger compromise.”
The report states, “Users and system administrations should be armed with the most up-to-date information on the risks and security issues currently facing the deployment and use of mobile devices. As employees continue to use their own devices for work purposes, greater threats are introduced into the workplace leaving company data, and the networks these devices access, at risk. Users and system administrators must be educated on the threats currently facing their enterprises, and the security solutions that can be put into place to defend against them.”
Milbourne says, “I always like to start with employee education because it is the cheapest and most effective form of improving your security and of driving awareness of proper use. We advocate for that all the time, but its actual practice is a little trickier.” Smaller organizations struggle to even create policies in the first place (they may not even consider themselves vulnerable), but even for companies that do, he often sees that policies omit the education component.
Here are a few “smart things,” he suggests to improve security level:
Use a strong lock screen—not a 4-digit pin or a swipe screen, but set it up to an 8-digit pin to make it much more difficult to break into the device.
Utilize lost device protection (LDP) services. While data protection is a priority for any user, the same careful consideration must be given to devices themselves.
Ensure that there are policies that stipulate what happens to the device if it is lost or stolen.
Only install apps from trusted sources such as Google Play and iTunes.
Pay very close attention to permission requests from any new app installations.
The enterprise will never be able to keep up with emerging threats on its own. A combination of third-party solutions and internal policy is absolutely necessary in mobile security.