New Risks: App Stores and BYOD

The threats of malware on mobile devices and operating systems (OSs) have been reported numerous times in the past year. Mobile devices in the past used to each have their own OS developed for each individual device but as we start to see the mobile industry coalesce under a few major flags, hackers and malicious applications now have a larger target with more devices running the same OSs. Security software companies like McAfee, Sophos, and Kaspersky are all expecting 2013 to be a year were mobile malware becomes a prominent threat to mobile devices.

Lately, the discussion about malware on mobile devices has been centered on Android devices due to the proliferation of some highly publicized cases in 2011 and early 2012. The truth about malware on mobile devices is pretty simple: malware exists or has existed in both Google and Apple (the current mobile software leaders) ecosystems. However, there are some common denominators for infection and definitely some best practices for users to avoid being on the receiving end of a malicious attack.

The good news is that currently most of the malware that has been found on devices are made to annoy, advertise, or skim smaller amounts of money from users. A lot of cases involve sending pay-per-text messages to a service or downloading contacts and spamming them with advertisement emails. This is annoying and may cost a little money but it beats having your identity stolen or infecting your entire work infrastructure. Malware on mobile hasn’t become mainstream as of yet and hackers are still trying to figure out how best to profit from their development.

However, smart phones and tablets are becoming a hard target to ignore as the mobile space continues to gain traction and more internet traffic originates from portable devices. The always-connected nature of these devices combined with the inclusion of numerous sensors enables new services that add value to the end-users. These same characteristics are also capable of providing a plethora of valuable information to hackers and phishers (hackers who try to acquire information by posing as a trustworthy entity). The inclusion of new technologies like near field communications (NFC) and quick response (QR) codes also present new entry points for gaining access to a device.

The next logical step for the internets’ underbelly is to ramp up production and dissemination of more advanced malware. They have been testing the waters and refining their strategies to make a big push into the mobile world. Right now the app stores that serve content for their respective OSs are the big gatekeepers stopping ill-intentioned applications from commandeering your device.

Fortunately, mobile malware hasn’t advanced to the point where it can side-step app store security in a meaningful way or affect businesses like phishing information within an enterprise network. Most malware is currently introduced when users side-load (installing apps from unofficial sources) applications. This makes it much easier to avoid infection and these types of trojans are restricted to relatively little data and risk. This gives users and companies a little time to get out ahead of the hackers and develop strategies and habits to stay secure.

The proliferation of malware on mobile devices has mainly occurred in Asia where there are numerous third-party app stores that don’t vet the applications submitted with the same standards as Google or Apple. The two main iOS threats, Ikee and Duh, were both only able to gain access to devices that were jailbroken (hacked by users to allow for custom applications). Google has an automatic bouncing system in their app store that proactively scans applications that are submitted, retroactively removes nefarious applications from their stores when they are identified, and locally scans side-loaded applications on the device before installation.  Basically, malware has mainly been able to gain access only to devices that have been modified or through users trying to load free alternative software.

This makes it relatively easy to sidestep infection. Make sure to only download applications through your device’s official app store and never root, jailbreak, or side-load applications. Also make it a habit to check the comments and ratings of each individual app that you are thinking of installing to make sure that it has been rated and used frequently without issue.

It’s only a matter of time until hackers begin developing more complex malware that can impact or inject other code into larger connected networks or phish much more sensitive data from users and the networks they are connected to. It is important to be aware of the new online security threats and develop the habits and protocols necessary to combat mobile malware before it becomes an issue.

Tags: Cloud Computing,Data Center,Technology