Cyber criminals are beginning to use mobile platform-seeking malware, according to web traffic filtering firm Websense.
Security researchers are increasingly seeing this code that identifies a mobile platform in order to target its vulnerabilities, said Carl Leonard, senior security research manager at Websense.
This code is found in compromised or malicious mobile applications, which are emerging as a new attack vector, especially in apps distributed through 3rd party app stores, he told Computer Weekly.
"Mobile apps are a powerful malware delivery method as most users are willing to allow apps to do anything to get the desired functionality," he said.
Security researchers are reporting a rapid evolution of mobile malware from the premium text message generating code that appeared about six months ago to the new data stealing apps.
This is particularly bad news for businesses that allow bring your own device (BYOD) schemes, said Leonard, as mobile malware is easily modified to steal data such as names, email addresses and phone numbers.
"The problem is that most of these devices do not even have anti-virus protection, yet they are being used to access corporate email and other systems," he said.
Malicious mobile apps are easily modified and compiled, he said, demonstrating how cyber criminals can add malicious data-stealing functionality that is invisible to the user with a few lines of code.
"Half a dozen variants of a malicious app can be created and published in a matter of minutes using just four pieces of readily available software," said Leonard.
This makes malicious malware difficult to detect and identify because of the rate at which cyber criminals can easily create variants that will all have different profiles.
"The biggest concern is data loss and therefore businesses should be looking to ensure they can control what data is sent to employee mobile devices," said Leonard.
Websense is tackling the problem in two main ways: First it is dissecting malicious mobile apps to build up a profile that allows researchers to classify them and identify variants.
Second, the security firm has built a mobile device management system that identifies sensitive data and prevents it from being accessed via insecure smartphones.
Any employee attempting to use a smartphone to access information that is sensitive according to company policy will be directed to use a more secure platform.
This in itself will help raise awareness of good data protection practices, said Leonard. "But security tools should always be backed up with user training to explain the reason for security policies being enforced," he said.
Security education programmes should also be updated regularly to keep users up to date with changes in the threat landscape, said Leonard.
"In 2010 there were only a handful of mobile threats, but now there are thousands and they are ramping up quickly in both volume and complexity," he said.
18 May 2012