Mobile viruses are now nearly 400 strong in number and are expected
to multiply to roughly 1,000 by year's end, but it's not the number
of viruses out there that should have enterprises concerned, it's
the type of malware that's sparking fear.
According to George Tuvell, CTO of SMobile Systems, a designer
of mobile security applications, the number of viruses may be
startling on its own, but it's what these security threats set out
to do that is a real eye-opener.
Tuvell said it's not so much the malware of the past that
disables devices or some of their features and functions that are
cropping up, it's new versions of spyware and snoopware that give
hackers, or anyone willing to pay, access to critical and often
confidential information stored on the device and on the network
those devices connect to.
Some recently uncovered malware can steal contact information,
address lists, message logs and call logs. In some cases, the
malware can also be used to issue commands from the device, meaning
a hacker can have total control of a smartphone or mobile phone to
make calls and send messages.
Another form of third-party access that was recently discovered,
according to SMobile president Neil Book, is the potential for
hackers to record conversations by tapping into a device and using
the microphone to listen in.
"This is much more intrusive than what we've seen before," Book
said. "The old way was a nuisance; this is much more of a privacy
risk."
These new types of attacks open a great compliance risk, Tuvell
said, because they can open the door for information to be
stolen.
"Nobody wants that information hacked," he said. "Any
information you want about the user, you can get it and sell it to
someone who wants it."
Tuvell compared it to last year's discovery of the
BBProxy, a BlackBerry vulnerability that uses BlackBerry
devices as a gateway to gain access to the enterprise network.
One factor fueling the increase in the amount of mobile malware
and its volatility is the growth of improved network
infrastructures like 3G and 4G, which will increase the
connectivity of wireless devices, in turn creating the potential
for more vulnerabilities. Another factor is the emergence of mobile
banking and
m-commerce services, which could motivate virus writers and
hackers to exploit vulnerabilities in the infrastructure for
financial gain.
Along with the boost in volume of mobile malware, its complexity
will also swell. According to SMobile, mobile malware will soon
spread faster across the mobile network and it will be more
difficult to detect because of sophisticated virus-writing
techniques. Those issues, coupled with hackers looking to make
financial gains, pose a more serious threat to privacy and
identity.
"The industry is already seeing a movement toward these more
sophisticated threats," SMobile recently wrote in a paper outlining
the influx of mobile viruses. "Though most viruses to date have
been via text message, the last five months has seen an increase in
snoopware/spyware for mobile devices."
 | | | | | Regardless of somewhat simple
protection methods, Book said many companies are still unaware of
potential threats that are sitting right in their pockets or in the
palms of their hands.
Neil Book
presidentSMobile |
| | | | | |
| |
|
And no device is immune, Tuvell said. Viruses and malware have
been found that affect Java-based devices, BlackBerrys, Windows
Mobile devices and a host of others. Even the iPhone, which touted
itself as a closed system, has already fallen victim in the month
it has been on the mass market.
Despite the myriad threats, Book said there are some key
elements of mobile security that can protect against even the most
sophisticated attacks. Some are as simple as defending against
threats with antivirus and anti-spam software, firewalls and
encryption.
"Without those, it's easy to send out a virus and allow it to
propagate," he said.
Tuvell added that log-in and encryption mechanisms go a long
way, making any stolen data useless because it's unintelligible.
Also, being able to remotely wipe data from lost or stolen devices
aids in protection.
Regardless of some fairly simple protection methods, many
companies are still unaware of potential threats that are sitting
right in their pockets or in the palms of their hands, Book
said.
"There is very little awareness today in the market as to what
types of threats are out there," he said. "But I think awareness is
certainly starting to grow."
Book said more and more companies are inquiring about setting up
effective security policies and enforcing them across their
organizations. Policy combined with vigilance on the part of
carriers and service providers is a strong first step toward
overall mobile protection.
Book said a good deal of responsibility falls on the carriers
and device manufacturers to include security in their plans and
devices. "You wouldn't buy a car that didn't have any seatbelts,"
he said.
Tuvell agreed, but noted that many companies have multiple
carriers and service providers, and a plethora of different devices
deployed. A secure mobile infrastructure, along with user
awareness, is also necessary to stave off a large-scale attack
before it happens.
"[Enterprises] really need to consider how they manage devices,"
he said. "Since most companies have multiple carriers, service
providers and manufacturers, there needs to be an umbrella that
covers everything."