Is 2012 finally THE YEAR of mobile security threats?

By | January 09, 2012

Posted in: Network Security Trends

I’m conditioned to ignore the torrent of annual New Year’s information security predictions, most of which are blatantly self-serving vendor pitches (an encryption vendor predicting a rise in big data breaches, an AV company wringing hands over the explosive growth and increased sophistication of malware, yadda, yadda). Year-of themes are quite popular: “The Year of PKI,” “The Year of NAC,” etc. One of my favorites has been “The Year of Mobile Malware.”

The mobile malware specter, which has loomed large for years, mostly in the FUD of security companies, has final taken on corporeal form. A lot has changed since McAfee ominously forecast 2006 as THE YEAR (it wasn’t) and some security analysts expecting smartphone malware to become pandemic, even surpass Windows PCs as the prime exploit vector years ago (it didn’t and most likely won’t, at least not in the foreseeable future).

So, when several mobile malware-related predictions headlined Verizon’s ICSA Labs hit list of 13 hot security threats to watch out for in 2012, I took notice, in part because Roger Thompson, one of the sharpest experts on malicious code in the world, has recently come on board as emerging threats researcher.

“It [mobile malware] was not that big an issue in the last few years,” says Thompson. “But it is now. The main thing that people need to understand is that mobile malware, particularly on Android, is on the rise.”

In past years, security vendors, when asked why an enterprise should spend money on the latest release of their smartphone security, they’d site “the rising incidence of mobile malware” – but the numbers and impact were still paltry, particularly as the annual proliferation of unique malware samples aimed largely at PCs became astronomic. When pressed, the response was generally, “It’s only a matter of time.” So, we waited.

No more. Smartphones are becoming increasing fertile turf for cyber criminals. Well over half of U.S. adults under 44 own smartphones, according to a Nielsen Company survey, and penetration in older age groups is rising rapidly.

The numbers are still modest in the overall malware landscape. McAfee, which predicts we’ll have seen 75 million unique malware samples in 2011, notes that while Android malware, which accounts for nearly half of smartphone malware, has more than quadrupled from Q1 to Q3, but the number was still fewer than 100.

Android, has been dramatically gaining market share, largely at the expense of Microsoft and Research in Motion (more on RIM in tomorrow’s blog), according to Nielsen. However, Android, unlike Apple and Microsoft,  is notorious for its failure to vet new smartphone apps; as a result, Google has had to pull bunches of malicious applications this year, more than 80 after discoveries in June and July, and 22 in December.

“Any platform, in order to have malcode written for it, has to be widely adopted and easy and cheap to develop for – a low cost of entry for bad guys,” Thompson says. He predicts that we’ll start to see application scoring services that warn enterprises and users if an app is potentially dangerous.

While rogue applications, rather than web browsing, will likely be the primary infection vector, Thompson notes users are more likely to browse the web than in the early days of smartphones, so drive-by downloads are a possibility. (Most major sites have smartphone-optimized versions now.)

Criminals are already starting to exploit online banking, with malware such as Mitmo, a variant of the widespread and distressingly successfully Zeus banking Trojan.

Even in relatively small numbers, mobile malware can do a lot of damage.

“The numbers will still be small compared to Windows malware, but might do a lot more damage if no one is prepared,” Thompson warns.

Best advice? Don’t install any applications you aren’t sure of; don’t try to “jailbreak” your phone. That, Thompson notes, “is just dumb.”

Sounds simple, but outside of highly restrictive security environments, enterprises have done a poor job of controlling what applications go on their users’ PCs. White-listing, a very effective security technique, is rarely employed and often seen as counterproductive from a business perspective. Now consider the BYOD (bring your own device) smartphone environment. Good luck with that.

The message is that if this isn’t THE YEAR, it’s certainly the year to start taking serious notice of smartphone security. If you haven’t begun incorporating smart phone security into your policies – do it now.


You May Also Be Interested In: