At the beginning of the year, Justin Somaini gave his cybersecurity colleagues a call to arms that cited the rising threat of mobile malware. “We're now free to work on any device, in any location, and with anyone around the world,” the chief trust officer for Box, the Los Altos, Calif.-based cloud computing giant, wrote in his mid-January blog post on the company's website. “The gains from these new technologies have been massive, from life sciences companies advancing drug research to manufacturers working with a global supply chain. But these benefits have come with a cost.”
Somaini, who held top IT security spots at Yahoo, Symantec and Verisign before coming to Box, sees the current and growing issue of malware on corporate mobile devices as a top concern for his fellow cybersecurity officers: “If we look back over the past 40 years in technology, we have seen this movie before,” he says. “We are starting to see [mobile] becoming a sizable foothold for malicious individuals with the huge upswing in mobile device usage in the past two years.”
Randy Abrams, research director, NSS Labs
Mobile malware has indeed become a grave concern for security pros. Last year, we saw multiple new attacks on both Android and iOS devices, namely WireLurker which attacked (supposedly more secure) non-jailbroken iOS devices. Mobile devices are ripe for attack for many reasons: They often hold user credentials for applications and websites. They're used for out-of-band authentication. They are almost constantly connected to the internet. And they have audio and video recording capabilities. For high-profile targets, these devices are a treasure-trove of information. And mobile platforms typically do not receive the same level of anti-virus or intrusion prevention monitoring as do desktop systems. An infected phone could go unnoticed for months – while monitoring the user and stealing their data.
As John “Rick” Walsh, mobile lead for cybersecurity for the U.S. Army, points out, “Mobile malware is easy to develop and the number of untrained developers are making it easy to exploit.”
Indeed, according to a recent research report from Alcatel and Lucent's Kindsight Security Labs, 15 million mobile devices are infected with malware (about six out of 10 of those devices run Android). The research found that more and more of these malicious applications are being used to spy on device owners, stealing their personal or business information and pirating their data minutes. Mobile infections increased by 17 percent in the first half of last year, raising the overall infection rate to 0.65 percent by late 2014. Between mid-December 2014 and mid-January 2015, network security firm Ixia uncovered more than 400 malware incidents among its own clients, most of those on Android devices, according to Dennis Cox, the firm's chief product officer. In the same one-month period, the company found only 27 new malware exploits on clients' traditional PCs, he says. “And I don't know a person who doesn't use their phone for work,” Cox adds.
Meanwhile, market research firm Lookout pointed out that while mobile malware is on the rise, we have yet to see how bad it could really get, especially with the introduction of chargeware and ransomware – aimed at bilking money from mobile users and potentially their employers. Mobile malware was spotted 75 percent more last year than in 2013, according to Lookout's research, with a global user base of 60 million mobile subscribers. Mobile-targeted ransomware, such as ScarePakage, ScareMeNot, ColdBrother and Koler, became much more popular in the U.S. last year and Lookout predicts increasingly sophisticated new threats to come this year.
Aside from the rising uptick of mobile devices for business and personal use, why do malware authors have mobile devices in their crosshairs?
“Mobile malware has been becoming more prevalent since 2013 and possibly even earlier,” says Neal Ziring, technical director for the information assurance directorate at the National Security Agency (NSA). The main reason it's becoming so prevalent is that the value is moving to mobile devices, he says. As more people are starting to use their smartphones and tablets for work – in many cases, using their own personal devices – hackers and information thieves are drawn to the enterprise email and access to other valuable information on or retrievable through these devices.
While Ziring says that malware on legacy desktop platforms has not gone away, mobile malware is particularly concerning because of the rapid growth of the threats and because the detection and counter-measures to combat malware on mobile are not as well-established as they are on more traditional platforms. “That's an area for the industry that is improving rapidly,” Ziring says, “but it still has a ways to go.”