This post first appeared on the website of Mobile Enterprise Magazine.
While it is true that the design of some aspects of mobile device operating systems afford better in-built security against certain types of malware, it is a mistake to assume mobile devices are impenetrable. Believing they are lacks foresight.
In fact, the current state of mobile malware is reminiscent of the early days of computer security as whole. In those early days, many believed that simply practicing “safe surfing” would be a sufficient countermeasure.
Unfortunately, that mentality led many to be unprepared when malware’s evolution turned it from relatively benign to truly malicious. As a result, when threats such as ILoveYou, Nimda and Storm were released to the digital world they spread like unchecked wildfire. The evolution has continued and today such sophisticated malware as Stuxnet, Flamer and Duqu, and such prevalent threats as drive-by downloads, fake AV and ransomware all prey on victims with great skill and cunning.
With this in mind, the time is now to take a lesson from history. Similar to those early days of modern computer security, we’re seeing the evolution of mobile malware accompanied by a steady increase in the amount of these threats that shows no signs of stopping. In fact, in September of this year the number of individual mobile malware samples we observed rose to 127,239, an increase of 39 percent from just the previous month. Even more startling is that since July 2011 the number of mobile malware samples seen by Symantec has increased by an average of 55 percent every month.
These numbers indicate that cybercriminals are keying in mobile because they see opportunity there. The fact of the matter is that the vast majority of cybercriminals aren’t in the business for the fun of it. They are in the business because they make money by doing it. As more businesses and individuals come to rely on their mobile devices for everything from simple email to critical apps to mobile payments, the focus on exploiting mobile devices will only grow. In fact, Symantec predicts that 2013 will be a watershed year for mobile malware. Enterprises must be prepared.
To aid in this effort, here are a few best practices both enterprises and users should follow to avoid mobile malware:
- Users should only use app marketplaces hosted by well-known, legitimate vendors for downloading and installing apps.
- Users should also review other users’ comments on apps to assist in determining if an app is safe before downloading.
- Users should pay attention to the name of app creators. If downloading a popular app from a well-known app creator, then an app that purports to be the legitimate version, but has a different author listed should be a definite red flag.
- During the installation of apps, users should always check the access permissions being requested for installation; if they seem excessive for what the application is designed to do, it would be wise to not install the application.
- As always, opening texts and email and browsing social networking sites on mobile devices needs to be conducted with discernment. Users shouldn’t open unidentified links, chat with unknown people or visit unfamiliar sites. It doesn’t take much for a user to be tricked into compromising a device and the information on it.
- Users should avoid jailbreaking or rooting devices. Tampering with operating systems often makes devices more susceptible to mobile threats. Enterprises should not allow such devices access to their networks and resources.
- Utilize a mobile security solution on devices to ensure any downloaded apps are not malicious.
- Especially in the age of BYOD, enterprises should implement mobile device management and mobile application management to ensure the devices connecting to company networks and the data being accessed remains protected at all times.
The benefits today’s mobile technology provides can’t be overstated. However, it’s important to remember that cybercriminals go where the people are, and it’s clear that people are going mobile. It’s only common sense to take the simple steps necessary to protect mobile devices and the increasingly sensitive information they hold.