In the overall landscape of enterprise information security threats, attacks against smartphones and tablets still barely register on the corporate radar for most European organisations. Windows-based malware still poses by far the biggest danger.
But times are changing. Smartphones and tablets have become must-have devices, and are inevitably capturing the attention of malicious hackers. For example, the creators of the notorious Zeus banking Trojan have created an Android version (Zitmo) because people now use their mobile devices for banking. The hackers simply followed the money.
Latest attacks on mobile devices
Antivirus vendor blogs constantly discuss the latest mobile device security risks. They point to some new virus or scam -- targeted usually at the Android operating system -- that is designed either to grab personal details about the user, or to send calls or messages to premium rate phone numbers.
Context Information Security
For example, Kaspersky Lab recently reported on the first Internet Relay Chat bot for Android which, for good measure, also comes with a root exploit and an SMS Trojan, providing the cybercriminal with a path to gain full control of the infected handset.
Trend Micro recently reported a malicious app that lures users into viewing pornographic videos and then pursues them for payment, generating a pop-up message every five minutes until payment is made.
Even Panda Software, which has tried in recent years to keep the mobile threat in perspective, now concedes there is a problem. “In 2012, there will be new attacks on Android, but it will not be on a massive scale,” wrote researcher Luis Corrons in a Panda Software report. “New mobile payment methods – via NFC [near field communications, a technology for mobile wallets] for example – could become the next big target for Trojans but, as always, this will largely depend on their popularity.”
Although the Apple App Store is tightly controlled, getting malware onto an Android device is a lot easier. All the criminal has to do is create an attractive-looking app, load it on to one of the unregulated Android market sites, and wait for the users to download it. In its forecast for 2012, Trend Micro noted it had detected more than 1,000 malicious Android apps by the middle of December 2011. “The average month-on-month growth rate for the second half of 2011 was more than 60%,” the Trend Micro report said. “If current trends hold, we may be able to see more than 120,000 malicious Android apps by December 2012.”
Security risks created by users
However, malware is not the biggest problem; it’s the users. According to new research by Dimensional Research and sponsored by Check Point Software Technologies, companies fear the carelessness of their employees far more than they worry about hackers.
More mobile device threats
Phone tracking and GPS data leakage
Mobile phone blended attacks
Survey highlights mobile application risks
The vendor surveyed 768 IT professionals in the US, UK, Japan, Germany and Canada, and asked them whether they felt having more mobile devices endangered their company’s security. According to the January 2012 survey report, entitled The impact of mobile devices on information security: A survey of IT professionals, 89% of respondents’ companies had smartphones or tablets connecting to corporate networks, and 65% allowed personal devices to connect to corporate networks. (In the UK, the survey found 61% of companies allowed personal devices to connect to the corporate network.)
Bring your own device (BYOD) is a growing trend, with 78% of respondents in Check Point’s survey saying the number of mobile devices connecting to their company network had more than doubled in the last two years.
However, 71% said mobile devices contributed to increased security incidents, and 72% said “careless” employees are a greater security threat than malicious hackers. (In the UK, 79% said careless employees are the greater security threat.)
In the Check Point survey, Apple iOS was the most commonly connected platform (30%), followed by BlackBerry (29%) and Android (21%). When asked about the highest risk, 43% rated Android as the riskiest platform.
The survey showed the most commonly held corporate data on mobile devices is email (79%), followed by business contacts (65%), customer data (47%), network login credentials (38%), and information made available though business applications (32%).
The survey also asked how respondents felt about the security of their organisation’s data on these mobile devices. The factors affecting the security of data on mobile devices included: lack of user awareness (62%), insecure Web browsing (61%), insecure WiFi (59%), lost or stolen devices (58%) and corrupt apps (57%).
Given the relatively low virus threat to mobile devices, Check Point’s survey results indicate the main danger comes from users who either don’t know how to use their mobile devices securely or don’t care. Mark Nicholls, lead consultant with London-based Context Information Security, said user awareness programmes are probably one of the best ways to increase security and help fend off new threats that are also bound to come along.
Nicholls said the dangers of granting permissions to apps they download should to explained to users. “Applications need to have a set of permissions to run,” he said. “But a lot of users will just go ahead and grant permissions to allow the app to send SMS messages or make calls, and that’s how they get infected.”
He also predicted quick response (QR) codes will increasingly be used by criminals to trick users into going to malicious websites, and said users should be warned about the dangers.
“For Android users certainly, user awareness in terms of understanding permissions and the source of applications is very valid,” Nicholls said. “Users should also be warned about the dangers of jailbreaking their phones, which opens them up to new vulnerabilities.”
This article originally appeared in the Spring 2012 issue of IT in Europe Security Edition e-zine.