Well, it was practically an inevitability as mobile devices became more common and, especially, once they overtook desktops as the web-browsing platform of choice: Mobile malware is becoming an increasingly large problem.
Now, the good news is that -so far- mobile malware is not nearly as big an issue as it is on desktop machines. Both iOS and Android run on Unix-style systems, which are supposedly generally harder to hack and less susceptible to viruses. However, threats are out there, and they're growing. This is likely to be the next 'battleground' between cyber-criminals and security experts, so it's good to understand how things stand.
How Mobile Malware Works
At present, there are two main vectors for attack on mobile devices; compromised advertisements, and compromised applications.
The advertising vector works in much the same way as it does on desktop machines, something we discussed recently in another blog. An advertisement - usually a pop-up ad - redirects the user to a website which is specifically designed to inject foreign code into the device. Often, this requires the user clicking\tapping on the ad to make the transition, but such pop-ups are often quite insidious and are extremely difficult to dismiss without activating them.
Compromised applications are obvious in their function: Apps either in the device's app store or downloaded from third-party types which are designed to attack the hardware. Once an app is granted high-level security permissions (something many users grant without a second thought) it can do almost anything it wants.
Examples of compromised apps making it onto official app stores are rare - but they do happen.
Because mobile devices don't work well as botnet devices, mobile malware is a bit different from desktop malware. Generally, there are two basic goals: Locking down the device, or else stealing its data. Or both.
Ransomware is becoming an unfortunately common form of malware online, both for desktop and mobile devices. Ransomware finds a way to lock down a user's device and\or encrypt its files, then displays a message informing the user they have to pay up to regain access to their device.
Ransomware authors are smart. They don't ask for huge sums, usually only a few hundred dollars' worth, which are generally paid in Bitcoin to a specific wallet. So if a business is hit with ransomware, paying the ransom is almost always the cheapest option. Estimates are, criminals can make thousands of dollars a month - or more - this way.
Besides ransomware, other malware which has been spotted in the wild is generally aimed at stealing data. Passwords, bank account access, contacts (to spread more viruses) and soforth. The danger here is that these programs can often do so invisibly for long periods of time, particularly since mobile Internet access is often not monitored as closely as desktop\server hardware.
iOS vs Android - Which Is Safer?
This one's easy: iOS is more locked down, and Apple takes greater care with its app store. From a pure security standpoint, there's really no debate. iOS is safer.
However, this does not mean iOS is completely safe: there have been iOS viruses within apps on the App Store. Nor does this mean that Android is a virtual plague house. Google still does a fairly good job policing their own store. However, because Android allows users to grant higher-level access privileges than iOS allows, a duped user can open the door to infections if they aren't careful.
What Can You Do To Keep Your Business Safe?
The most obvious protection would be moving to a company-owned-device model backed up by strong Mobile Device Management systems that restrict third-party app installations. This, however, is quite expensive. Alternatively, some networking vendors - particularly Meraki - have been working on MDM which can work with BYOD setups. But that means investing in new network hardware, which is also expensive.
Beyond such measures, education is the best policy. Train your employees in the dangers of mobile malware. In particular:
- Encourage use of iOS, if this is reasonably within your workforce's purchasing power.
- Warn against ever installing apps from any source besides official app stores.
- Suggest they stick to well-reviewed apps with a large number of existing users. Look at outside review sites, not just the in-store reviews which are often unreliable.
- Advise them to never click on mobile ads. (Thankfully, Google is now punishing intrusive ads, so they should appear less often.)
- If necessary, they should shut down their mobile browser entirely rather than interacting with ads.
- Help Android users understand the permissions system, and why they really need to think twice about granting high-level access.
- Tell them to immediately bring a workplace device to the IT department, if they suspect it's been compromised.