Mobile Malware Threat Overhyped?

By Brian Prince  |  Posted 2010-10-06

Dealing with Enterprise Mobile Security

Cyber-criminals were recently seen targeting BlackBerry and Symbian devices to steal authentication data from online banking customers, another example of mobile devices being on attackers' radars.

Still, security experts agree most of the threats to mobile devices come in the form of people losing their devices or having them stolen. Rather than dealing with malware, the primary challenge for enterprise mobile security is figuring out how to best manage the plethora of devices employees can bring on to the network.

The number of players in the mobile market presents a challenge. Research from IDC reported Symbian held a 40 percent share of the market during the first half of the year, but also put BlackBerry, Apple iOS and Android at a combined 50 percent.

From a management perspective, organizations have three options, Gartner analyst Eric Maiwald said.

"One - use the BlackBerry Enterprise Server," he said. "BES only manages BlackBerry devices but it gives you the best management system. Two - use Exchange and ActiveSync. This will work for any device that includes an ActiveSync agent. However, it provides limited capabilities - you can verify authentication and encryption prior to allowing the device to connect and you can remotely wipe the device - and you have to rely on the device to tell you about itself."

The third option is to use third-party management products, which come in three major flavors: products focused on the security configuration of devices; messaging products, which typically deploy their own agent to send and receive e-mail securely; and service management technology focused "on the quality of service for the device" that provides a detailed view of the device and its configuration, Maiwald said.

"Basically, what I am saying is that you need to understand what you are trying to do: what is your policy, what is the goal for the management product, and what devices do you want to manage," he said.

Having a mobile device management strategy to enforce on devices other than BlackBerry is a common gap in enterprises, Gartner analyst John Pescatore said, as is having a definition of what minimal security policies need to be enforced.

Best practices include having the ability to wipe a device remotely, as well as policies around encryption and passwords, Kevin Mahaffey, CTO of mobile security firm Lookout, told eWEEK.

"A password is the first line of defense to prevent thieves or casual snoops from accessing sensitive data on a smartphone," he said. "While a password won't necessarily stop the most determined attackers, it can go a long way in keeping sensitive data safe. Some phones can set policy to automatically erase the device if an incorrect password is entered too many times."

Mobile Malware Threat Overhyped?

Analysts were skeptical of the idea of anti-malware on smartphones, partly because the amount of malware in the wild targeting the devices is relatively tiny. For example, F-Secure Chief Research Officer Mikko Hypponen told eWEEK the company has identified about 520 mobile malware families - a drop in the bucket compared to the 50,000 PC malware threats Panda Security said it analyzes and blocks daily.

Still, "[mobile malware is] a growing concern, as the general awareness for mobile threats is very low," said Sean-Paul Correll, threat researcher at Panda Security.

"Premium rate SMS numbers are the most reoccurring monetization technique in the mobile malware threat landscape," Correll said. "The malware silently sends text messages to SMS short code services, which usually charge around $5 [USD] per text message. Historically we have seen more threats affecting the Symbian and Windows Mobile platforms, but we're seeing the mobile threat landscape starting to move over to the Android platform because of its open market."

Researchers identified what they called the first SMS Android Trojan earlier this year. In the case, users had to download a fake video player. When it was discovered, Google pointed out that before installing the application, users are presented with a screen showing what system resources and data the application has permission to access. Still, users who downloaded the application faced the prospect of their phone being used to ring up charges by sending texts to premium numbers.

Aside from malware, users also face threats from phishers.

"If you receive a phishing email and you read it on your computer, you are pretty well protected," Hypponen said. "The security product on your computer will likely detect the e-mail as phishing and delete it. Even if it doesn't, when you click on a phishing link, the security product will detect and block the URL as a known phishing site. Even if that fails, most web browsers block access to known phishing sites."

"The problem is that none of those safeguards exist on your smartphone," he continued. "Yet, we read a larger and larger portion of our emails on our phones, not computers. And in addition, when you click on a link on your phone, the URL of the site is often not showed or it's truncated as the screen is smaller, making phishing URL tricks easier."


Rocket Fuel