When Malware Goes Mobile

Causes, consequences, and cures

We used to think of malicious software—or malware as it’s more commonly known—as a threat to laptops and desktop computers. But as we move more and more into a mobile environment, cybercriminals are targeting smartphones and mobile devices to a far greater extent.

Apple and Google have taken preventative measures to prevent malware in iOS and Android devices, but nevertheless, malware is still having an impact on these devices.

Let’s take a look at what you can do to better protect your mobile devices to keep your data safe.

The smartphone as emerging threat vector

Mobile devices are rapidly overtaking home devices in the number of users. Research estimates more than six billion smartphone users by 2020. These devices are replacing personal computers at home and in the workplace for everything from web surfing to ecommerce transactions to online banking. Securing these devices should be a top priority both in business and personal use.

The threat vector has increased exponentially as mobile devices are used more and more to make payments. Digital wallets and other technology allowing businesses to accept mobile payments have acted as a magnet for cybercriminals.

The business of cybercrime

Cybercrime today is very much about the money. What was once a group of hackers pinging websites in search of vulnerabilities to exploit has become an organized international enterprise.

This isn’t a grimy world of solitary hackers engaging in political hacktivism or denial-of-service attacks. Roger Grimes wrote back in 2012 in a piece for InfoWorld that cybercrime syndicates have full-time employees, HR departments, and project management teams—just like you.

Central to these organizations is creating and implementing malware that can bypass security measures, attack specific customers, and achieve specific outcomes, like making money. And these “malware mercenaries” are targeting mobile devices more than ever.

Let’s take a look at the two ways these cybercriminals are making money from unsuspecting mobile device users: banking malware and premium-rate SMS fraud.

Banking malware

Banking malware continues to be a growing challenge for IT security. In the first half of 2016, we saw the GozNym malware take $4 million in just days from 24 U.S. and Canadian banks by targeting customer accounts.

GozNym actually combined code from two different, existing malwares, Mymaim and Gozi, both of which have been in existence for years. This new “hybrid” malware had been merged to double the threat.

Banking malware is big business. Fraudsters have built a highly specialized industry around capturing authentication information used to access online financial institutions. Malicious mobile software attack users that visit a website set up by malware writers, their sponsors, or their partners.

We’ve seen phishing schemes, Trojans, and malware that monitors text messages, hackers are finding new and improved ways to hound financial institutions for profit.

But this isn’t the only way hackers are finding ways to exploit users to make money.

Premium-rate SMS fraud

Premium-rate SMS fraud isn’t new, but it remains pervasive. Rather than ask you for your credit card or attempt to withdraw money directly from your bank account, users are tricked into responding to a text message, enabling a module which will start sending SMS messages to premium rate numbers at the user’s expense. Frequently these sites appear as gambling, music, or other seemingly benign services.

For more information on premium-rate SMS fraud, download the whitepaper Exposing the Money Behind the Malware.

Why iOS is safer than Android (for now)

We’ve long expected Apple’s iOS to become a bigger target for hackers. Android certainly remains the bigger target, both in terms of numbers of users and Android’s more open and adaptable platform continue to make it more vulnerable to cyberattacks.

Apple’s walled garden App Store—where applications are fully vetted before being made available to customers—has prevented widespread malware infection of iOS users. As a centralized point of distribution, the App Store provides users with confidence that the apps they download have been tested and validated by Apple.

Evidence of malicious malware showing up in the App Store is anecdotal at best, as Apple does not typically volunteer such information. However, it’s safe to assume that since Apple does not make APIs available to developers, the iOS operating system has fewer vulnerabilities.

However, iOS isn’t 100% invulnerable. Recent examples, such as the iOS-based malware XCodeGhost have proven that iOS is vulnerable to malicious attacks as well.

Like Apple, Google provides a centralized market for mobile applications called Google Play. However, that is offset by the Android’s ability to install apps from third-party sources. Some are well-known and reputable such as Amazon. Others are not, and originate from malware hotspots in Russia and China. The criminal developers deconstruct and decompile popular apps like Angry Birds, and publish malicious versions and make them available for free.

The number of threats―especially on the Android platform―continues to increase. Since 2010, SophosLabs has observed more than 1.5 million samples of Android malware.

You can find an infographic on the history of mobile threats on the Sophos Blog.

10 tips to prevent mobile malware

Now that we’ve identified the causes and challenges associated with mobile malware, how do you prevent it? By taking back control of your mobile devices and their applications.

Here are 10 tips for securing your mobile users and preventing mobile malware infections.

1. Inform users about mobile risks
Users often don’t realize a mobile device is a computer and should be protected like one. Always consider the source of an app or game. If an app asks for more than what it needs to do its job, don’t install it.

2. Consider the security of over-the-air networks used to access company data
Over-the-air (i.e., Wi-Fi) networks are insecure, generally. For example, if a user is accessing corporate data using a free Wi-Fi connection at an airport, the data may be exposed to malicious users sniffing the wireless traffic on the same access point. Companies must develop acceptable use policies, provide VPN technology, and require that users connect through these secure tunnels.

3. Establish and enforce bring-your-own-device (BYOD) policies
BYOD should be a win-win for users and companies, but it can result in additional risk—and it’s becoming more and more common in business. Ask yourself: How do I control a user-owned and managed device that requires access to my corporate network? Educated employees are often the best defense against the theft of sensitive data. If they use their own mobile devices they must follow policies that keep the business compliant with regulatory requirements.

4. Prevent jailbreaking
Jailbreaking is the process of removing the security limitations imposed by the operating system vendor. To “jailbreak” or to “root” means to gain full access to the operating system and features. This also means breaking the security model and allowing all apps, including malicious ones, to access the data owned by other applications. In brief, you never want to have root-enabled devices in your company.

5. Keep device operating systems up to date
This sounds easier than it actually is. In the Android ecosystem, updates can be blocked a number of ways: by Google (which updates the operating system); by the handset manufacturer (which may decide to release updates only for the latest models); or by the mobile provider (which may not increase bandwidth on their network to support updates). Without the ability to update your Android OS, your device is vulnerable to potential exploits. Research mobile providers and handset manufacturers to know which ones apply updates and which don’t.

6. Encrypt your devices
The risk of losing a device is still higher than the risk of malware infection. Protecting your devices by fully encrypting the device makes it incredibly difficult for someone to break in and steal the data. Setting a strong password for the device, as well as for the SIM card, is a must.

7. Mobile security policies should fit into overall security framework
IT needs to strike a balance between user freedom and the manageability of the IT environment. If a device does not comply with security policies, it should not be allowed to connect to the corporate network and access corporate data. IT departments need to communicate which devices are allowed. And you should enforce your security policy by using mobile device management tools.

8. Install apps from trusted sources; consider building an enterprise app store
You should only permit the installation of apps from trusted sources, such as Google Play and Apple App Store. However, companies should also consider building enterprise application stores to distribute corporate custom apps and sanctioned consumer apps. Your chosen security vendor can help set up an app store and advise which applications are safe.

9. Provide cloud-sharing alternatives
Mobile users want to store data they can access from any device, and they may use services without the approval of IT. Businesses should consider building a secure cloud-based storage service to accommodate users in a secure way.

10. Encourage users to install anti-malware on their devices
Although malware exists for iOS and BlackBerry, those operating system interfaces don’t support anti-malware. However, the risk of infection is highest for Android, where security software is already available. Make sure all your Android devices are protected by anti-malware software.