While smartphones are garnering more attention from the cybercriminal community, most users are not aware of the risks. However, the security industry is struggling to develop tools to defend these devices, a panel of experts said on Wednesday at RSA Conference in San Francisco.
For years, members of the information security community have warned that smartphones will increasingly be targeted by cybercriminals as they grow more ubiquitous, said panelist Marcus Sachs, vice president of national security policy at Verizon. Even though mobile malware has been discovered in the wild, many argue that it does not pose a significant threat right now.
But recent history proves that other long-predicted threats – such as attacks targeting critical infrastructure systems – have materialized, Sachs said.
“Our adversaries are entrepreneurs,” he said. “And they are just as mobile as we are.”
Smartphones are appealing to cybercriminals because they contain vast amounts of data and are always connected to the internet, said panelist Joseph Opacki, technical program manager of the FBI's malware analysis program.
The threat of mobile malware was recently highlighted by a team of researchers, including from the University of Hong Kong and Indiana University in Bloomington, who developed a trojan dubbed Soundminer that can monitor a user's phone calls and steal credit card numbers that are spoken during a conversation or entered into the phone's number keypad. The trojan, which targets phones running Google's Android platform, shows that the threat of mobile malware is real, Opacki said.
Meanwhile, panelists agreed that mobile applications are one of the greatest threat vectors for smartphones.
“Even though we say this is the year of the mobile threat, people are still downloading any app they want,” said panelist Adam Meyers, director of cybersecurity intelligence at IT services and solutions consulting firm SRA International.
Also, mobile web browsers and operating systems contain vulnerabilities that could be exploited for malicious purposes, panelists said. Users may begin to encounter malware that exploits these weaknesses via drive-by-download on mobile websites, Meyers warned.
Despite the threats, most users don't even think about smartphones as mobile computers or consider the risks posed by these devices, Opacki said.
“You think you're secure, but mobile devices are the next target for malware writers,” he said.
Because smartphones are essentially full-fledged computers, organizations need to secure them with the same level of protection afforded to PCs, said panelist Winn Schwartau, chairman of smartphone security firm Mobile Active Defense.
But part of the problem is that technological innovation is moving quicker than security, and vendors are struggling to develop technologies that can protect mobile devices from malware, Meyers said. The market for enterprise-grade smartphone anti-virus solutions, for example, is largely nonexistent, panelists said.
In the meantime, organizations should question whether to support new devices and consider the risks before doing so, Sachs said. Also, user education is extremely important and organizations should ensure employees are conscious about what they do online.