Mobile viruses are now nearly 400 strong in number and are expected to multiply to roughly 1,000 by year's end, but it's not the number of viruses out there that should have enterprises concerned, it's the type of malware that's sparking fear.
According to George Tuvell, CTO of SMobile Systems, a designer of mobile security applications, the number of viruses may be startling on its own, but it's what these security threats set out to do that is a real eye-opener.
Tuvell said it's not so much the malware of the past that disables devices or some of their features and functions that are cropping up, it's new versions of spyware and snoopware that give hackers, or anyone willing to pay, access to critical and often confidential information stored on the device and on the network those devices connect to.
Some recently uncovered malware can steal contact information, address lists, message logs and call logs. In some cases, the malware can also be used to issue commands from the device, meaning a hacker can have total control of a smartphone or mobile phone to make calls and send messages.
Another form of third-party access that was recently discovered, according to SMobile president Neil Book, is the potential for hackers to record conversations by tapping into a device and using the microphone to listen in.
"This is much more intrusive than what we've seen before," Book said. "The old way was a nuisance; this is much more of a privacy risk."
These new types of attacks open a great compliance risk, Tuvell said, because they can open the door for information to be stolen.
"Nobody wants that information hacked," he said. "Any information you want about the user, you can get it and sell it to someone who wants it."
Tuvell compared it to last year's discovery of the BBProxy, a BlackBerry vulnerability that uses BlackBerry devices as a gateway to gain access to the enterprise network.
One factor fueling the increase in the amount of mobile malware and its volatility is the growth of improved network infrastructures like 3G and 4G, which will increase the connectivity of wireless devices, in turn creating the potential for more vulnerabilities. Another factor is the emergence of mobile banking and m-commerce services, which could motivate virus writers and hackers to exploit vulnerabilities in the infrastructure for financial gain.
Along with the boost in volume of mobile malware, its complexity will also swell. According to SMobile, mobile malware will soon spread faster across the mobile network and it will be more difficult to detect because of sophisticated virus-writing techniques. Those issues, coupled with hackers looking to make financial gains, pose a more serious threat to privacy and identity.
"The industry is already seeing a movement toward these more sophisticated threats," SMobile recently wrote in a paper outlining the influx of mobile viruses. "Though most viruses to date have been via text message, the last five months has seen an increase in snoopware/spyware for mobile devices."
And no device is immune, Tuvell said. Viruses and malware have been found that affect Java-based devices, BlackBerrys, Windows Mobile devices and a host of others. Even the iPhone, which touted itself as a closed system, has already fallen victim in the month it has been on the mass market.
Despite the myriad threats, Book said there are some key elements of mobile security that can protect against even the most sophisticated attacks. Some are as simple as defending against threats with antivirus and anti-spam software, firewalls and encryption.
"Without those, it's easy to send out a virus and allow it to propagate," he said.
Tuvell added that log-in and encryption mechanisms go a long way, making any stolen data useless because it's unintelligible. Also, being able to remotely wipe data from lost or stolen devices aids in protection.
Regardless of some fairly simple protection methods, many companies are still unaware of potential threats that are sitting right in their pockets or in the palms of their hands, Book said.
"There is very little awareness today in the market as to what types of threats are out there," he said. "But I think awareness is certainly starting to grow."
Book said more and more companies are inquiring about setting up effective security policies and enforcing them across their organizations. Policy combined with vigilance on the part of carriers and service providers is a strong first step toward overall mobile protection.
Book said a good deal of responsibility falls on the carriers and device manufacturers to include security in their plans and devices. "You wouldn't buy a car that didn't have any seatbelts," he said.
Tuvell agreed, but noted that many companies have multiple carriers and service providers, and a plethora of different devices deployed. A secure mobile infrastructure, along with user awareness, is also necessary to stave off a large-scale attack before it happens.
"[Enterprises] really need to consider how they manage devices," he said. "Since most companies have multiple carriers, service providers and manufacturers, there needs to be an umbrella that covers everything."