ISTR Information on Mobile Threats and What it All Means for the Enterprise
A few weeks back, Symantec released the 17th edition of our annual Internet Security Threat Report (ISTR). As one might guess, mobile malware, mobile operating system vulnerabilities and other mobile-related threats have become an important part of these reports over the last few years. This year’s report is no exception and a few of the findings are worth revisiting here.
Mobile Malware Trending Upwards
Without a doubt, the number of mobile malware threats out there still pales in comparison to malware threats targeting PCs, but no matter how you look at it mobile malware is on the rise. The following chart is from this year’s ISTR and highlights a significant and consistent increase in mobile malware families:
So, why is this mobile malware increase occurring? The simple answer is opportunity. With the massive growth in smart mobile device adoption and the ever-increasing use of these devices for all sorts of activities that potentially involve lucrative information, cybercriminals see an enormous opportunity to make money by victimizing users. At this point, they are still working out how to most effectively do this, but the scary truth is that the bad guys behind this movement are persistent. As a few of them start to generate revenue, like flies attracted to honey there will be more cybercriminals jumping on board.
Mobile Malware Growing More Varied and Sophisticated
As cybercriminals explore ways to exploit mobile devices and their users, the functionality of mobile malware threats is broadening. The ISTR breaks mobile malware down by functionality based on five general categories.
First are threats that collect data. These make up 28 percent of the mobile malware out there. In most cases, the information is collected with the intention of using it to carry out additional malicious activity, much like a traditional info-stealing Trojan might. The type of data collected includes both device- and user-specific information, with the latter being the most dangerous if control is lost.
Next, with 25 percent of the pie, are threats that spy on users. Threats of this variety typically gather up various communication data, such as text messages and call logs, though they sometimes even track users’ physical location via devices’ GPS. They then send all this back to the attacker.
Third are threats that send content, such as text messages. These make up 24 percent of the threats targeting mobile devices. These threats are primarily used to directly generate revenue for attackers via premium SMS text message schemes. Such threats can also be used to propagate spam campaigns.
The fourth category involves threats that appear to be much more closely related to traditional PC-focused malware, such as backdoor Trojans and downloaders. Only 16 percent of mobile malware threats do this.
Finally, coming in with seven percent of the total we have threats that alter device settings. This type of threat attempt to elevate privileges or simply modify various settings within the operating system, with the goal of preparing devices so attackers can perform additional actions on the devices.
Not only are mobile malware threats growing more varied in scope, they are also growing more sophisticated. The report highlights how some of the tried and true techniques already common in the PC malware realm are being ported over into the mobile malware space, including attempts to complicate the removal of malicious apps and signing code with legitimate certificates. Social engineering is also becoming a mainstay of the mobile cybercriminals arsenal.
Mobile Vulnerabilities on the Rise
In 2011, Symantec documented 315 vulnerabilities in mobile device operating systems. This is compared to 163 in 2010, which represents a 93 percent increase.
As with any software vulnerability, the danger is that such flaws open up opportunities for attackers to exploit devices for any number of malicious purposes. Vulnerabilities in mobile operating systems are no different. By design, such operating systems have better in-built security than PCs, but vulnerabilities can negate those security features.
As interesting as all this is at face value, the title of this blog post indicates there is, however, a larger goal in repeating this information here. The point is to highlight what all this means for enterprises. In short, it means that mobile threats are real, carry real consequences and need to be on enterprise IT’s radar. In reviewing the above mobile threat information, it’s hopefully fairly easy to see how mobile threats can lead to any number of negative outcomes for enterprises, from data breaches to increased capital expenditures to loss of employee productivity.
That said, these threats do not necessarily make enterprise mobility – in any of its various flavors (i.e. BYOD) – less of a worthwhile venture, just as thorns do not make taking a stroll through a rose garden any less worthwhile. In both cases, it is important to simply be prepared for the hazards and arrive equipped with the appropriate protections and tools to reap the benefits and mitigate the potential negative consequences.