Malware outbreaks might make for fantastic headlines, but mobile malware is just one of several mobile security threats IT must confront.
Lost or stolen devices and misconfigured or snoopy applications represent the majority of mobile device breaches. Still, this doesn't mean enterprises should ignore mobile malware. Assessing all three of the following threat trends can help you take a risk-based approach to safeguarding corporate-provided or employee-owned mobile devices in the enterprise.
Device loss and theft
Smartphones and tablets are easy prey for snatch-and-grab criminals, and many more mobile devices simply go missing. With pervasive mobility, device loss and theft rates continue to grow, escalating the associated risk to any business data stored on those devices. According to Verizon's latest Data Breach Investigations Report, 15.3% of all data breach incidents are now reportedly due to physical theft or loss -- including that of mobile devices.
Fortunately, fundamental measures are readily available on all mobile platforms to counter this threat. For example, Google Android 5.0 finally mandates hardware support for stored data encryption, although users can still disable this essential safeguard. Apple iOS 7 introduced a kill switch to render stolen iPhones and iPads worthless. In iOS 8, Activation Lock is enabled by default, strengthening out-of-the-box defenses against data breaches due to device loss or theft.
Leaky apps on the rise
The majority of mobile security breaches through 2017 will be the result of mobile app misconfigurations, rather than explicit attacks on devices, according to Gartner Inc. For example, many mobile apps auto-synchronize data with personal cloud services, such as Apple iCloud or Microsoft OneDrive. Unless IT blocks this syncing, or even bans those kinds of cloud services, these apps can easily leak enterprise data to public clouds unbeknownst to employees or employers.
In addition, a growing number of mobile apps request permissions and gather data they simply don't need. Many of the free apps in Google Play contain adware, software that endangers privacy by capturing information, such as device-unique IDs, location, contacts and more. Most often hidden within personalization or gaming apps, even relatively benign adware can slow down a mobile device, trigger accidental Web requests and leak personal or enterprise data.
Enterprises can take various steps to mitigate this threat. IT can disable the installation of repackaged apps from unauthorized app stores and should make sure to assess the reputation of mobile apps used for business. Another way to isolate enterprise data is by using containerized apps or storage. It may be impossible to prevent all leaky apps, but enterprises can use careful app management to control the flow of business data between mobile apps and across mobile networks.
Mobile malware isn't just for Android
Over the past few years, malware writers have largely focused on Android because it is the top-selling mobile OS worldwide and the dominant OS on personal smartphones. However, as employees increasingly use mobile devices for business, criminals are likely to refocus on malware aimed at enterprise assets.
According to San Francisco-based cybersecurity analysis firm Lookout Inc., today's Android security threats consist of increasingly more sophisticated malware attacks and OS exploits that compromise devices and networks. To make matters worse, many Android devices run older versions of Android that are vulnerable to Android Open Source Project browser or MasterKey exploits that give criminals free reign over compromised devices.
Many enterprises consider iOS immune to malware, but this is simply untrue. For example, Lookout reports that WireLurker and XAgent "surveillanceware" are exploiting enterprise app provisioning methods and installing malware on iPhones and iPads, bypassing Apple's tightly curated App Store. In addition, iOS malware has long targeted jailbroken devices, which install bad apps from alternative sources, such as the Cydia directory.
Even if mobile malware isn't yet a major concern for enterprises, a few basic countermeasures can go a long way. Disabling sideloading of Android apps, monitoring and quarantining jailbroken or rooted devices, establishing minimum OS versions, and keeping devices and apps up-to-date can deter most of today's mobile malware threats. And that will establish a solid foundation for addressing emerging threats that will no doubt follow tomorrow.
Android man-in-the-middle attacks
What works and what doesn't in mobile security
What mobile security lacks
Is antimalware protection necessary for mobile security?