No Rest for the Weary: Mobile Hackers are Getting More Aggressive

If the headlines have you thinking that mobile security is getting worse, you’re not imagining things. We have just published the quarterly Mobile Threat Intelligence Report to dig into the 2017 numbers a bit.  The report is based on data gathered by Symantec SEP Mobile, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic mobile threat landscape.

Last year set a record, according to Symantec’s recently released Internet Security Threat Report (ISTR) with the number of new mobile malware variants soaring by 54% from the prior year. Attackers clearly saw an opportunity to ply their trade and they were active. In fact, Symantec blocked an average of 24,000 malicious mobile applications each day last year.

Attackers keep developing new methods of infection and tricks to remain on compromised devices as long as possible.

But not only are threats growing, the problem is exacerbated by workers continuing to use older operating systems. While 80% of iOS devices are on the latest release (leaving 20% exposed to known security vulnerabilities), Android devices are updated far more slowly, with only 3% on the latest OS version.

There is some good news. Knowing that Android users are largely unwilling or unable to move to the latest operating systems very quickly, Google not very long ago separated out security patches from the Android OS versions. So now, whenever Google issues a security patch, they do it for multiple versions. If someone is still using Android 7 or – heaven forbid! - Android 6, they can still get the security patch for that version to protect against more recent secure threats and vulnerabilities.

Still, about 41% of Android devices have security patches that are at least 2 months old. Even though it would be great if the percentage was still higher, we need to realize that for whatever reason, most people just don’t update their devices to the latest OS version.

That aside, 2017 was not a good year for mobile security. Symantec’s ISTR, as well as the Mobile Threat Intelligence Report for 2017, present a picture of savvy attackers having their way with unaware users, leaving enterprise security managers scrambling to play defense in the face of increasing attacks.  

Every quarter we set out to carefully analyze the data we aggregate (anonymously) via our SEP Mobile installed base. In 2017, we analyzed over 1 million apps and over 2 million unique networks. Sifting through this data, our globally recognized mobile security research team indentified the key trends. Let’s take a closer look.

Mobile Malware Variety and Volume Both Up

Not only did the volume of malware we identified grow, but the number of variants grew as well. Malware variants increased 54% in 2017. Looked at another way, it means that mobile attacks are becoming more common and attackers are branching out. That’s a troubling harbinger for enterprise IT teams, who will have to defend their organizations against both more attacks and more varied threats.

Though we tracked across-the-board increases in most variants, the two malware variants that registered the largest growth last year were adware and ransomware. It also suggests that attackers are shifting their goals; before they sought to steal data; now, increasingly, they aim to corrupt it for the sake of financial extortion. Though both are obviously bad news for enterprises, it also sends a message that mobile malware is leaving behind its juvenile past to something more sophisticated.  

Outdated Operating Systems

Another chronic problem: mobile devices that still run on outdated operating systems. Some 41% of Android devices still run on security patches that are at least two months old, and roughly 15% of Android devices run on security patches that are at least five months old. iPhones fared better, likely reflecting the fact that Apple owns its entire distribution chain, whereas Google does not. This makes updating Androids slower and more challenging.

Then there’s the human factor to consider. Many users might know that a new update is available but still not really care, likely because they’re unaware of the security risks involved in using out-of-date software. 2017 saw an increase of 80% in published mobile operating system vulnerabilities compared to 2016. That’s fostered a situation where 34% of mobile devices are rated as medium or high-risk (based on Symantec’s proprietary Mobile Threat Risk Score).   

Similarly, end users might know there are updates available but may actively avoid them. Apple is particularly notorious for slower device and battery performance with new operating system releases. This makes users even more wary about upgrading to the latest and greatest, fearing it’ll slow their phone down and force them to buy a new device before they want – or can afford – to.

Risky Wi-Fi networks more popular than ever

The number of risky Wi-Fi networks based on the SEP Mobile Threat Risk Score that were detected in major US tech centers increased by 56% across 2017, with Chicago being the only major tech center seeing a decrease (down 23%). Other tech centers, however, saw a massive spike in risky Wi-Fi networks: Boston up 173%, Portland up 158%, Seattle up 107%, and Salt Lake City up a staggering 325% - more than any other major US tech center city. To make matters worse, we found that 44% of mobile devices will face exposure to a risky Wi-Fi network within just four months of operation, making it increasingly vulnerable for any end user (and their data) who connects to unknown and/or untrusted Wi-Fi networks, which unfortunately for IT, is a large number of end users.

None of this should be surprising. As mobile devices have become increasingly popular, they’ve also become increasingly attractive targets for attackers.

Desktop security has developed over 3 decades whereas mobile security is just 3 years in the works. While it has not become a default check box for business IT, more organizations are having those conversations. Still, the ramp up can’t come fast enough.

Businesses must become more aware of the risks and take the steps to evaluate and implement a mobile threat defense solution that is complete, holistic and protects mobile devices proactively across all major threat vectors.

If you found this information helpful, you may also enjoy:

Internet Security Threat Report 2018

Warning: Mobile Threats Love Organizations of All Sizes