Malware targeting smartphones
A report published by Nokia this week has revealed that mobile devices are being targeted by cybercriminals with greater intensity than ever before, with instances of malware infections peaking last October, according to the Register.
Analysts found that at most a total of 1.35% of all smartphones worldwide were suffering from some form of malware affliction. They also warned against complacency among users, since all platforms are in the firing line at the moment, not just the most popular.
81% of all infections were detected on mobiles running the Android operating system. Given that this OS is present on the majority of mobiles sold globally, this is not surprising.
The report also found that iOS, Apple’s platform which runs on the iPhone range, is beginning to foster more malware than in the past, with dodgy apps enabling hackers to get a back door into devices.
The rise of mobile malware has occurred in unison with the decline in the number of traditional desktop and laptop computers that are infected, as this dipped to 15% in H2 2016. This is another trend which reflects the fact that smartphones are now used far more regularly for browsing the internet than PCs.
Tips to avoid malware
1. Inform users about mobile risks
Users often don’t realise a mobile device is a computer and should be protected like one. Always consider the source of an app or game. If an app asks for more than what it needs to do its job, don’t install it.
2. Consider the security of over-the-air networks used to access company data
Over-the-air (i.e., Wi-Fi) networks are insecure, generally. For example, if a user is accessing corporate data using a free Wi-Fi connection at an airport, the data may be exposed to malicious users sniffing the wireless traffic on the same access point. Companies must develop acceptable use policies, provide VPN technology, and require that users connect through these secure tunnels.
3. Establish and enforce bring-your-own-device (BYOD) policies
BYOD should be a win-win for users and companies, but it can result in additional risk—and it’s becoming more and more common in business. Ask yourself: How do I control a user-owned and managed device that requires access to my corporate network? Educated employees are often the best defence against the theft of sensitive data. If they use their own mobile devices they must follow policies that keep the business compliant with regulatory requirements.
4. Prevent jailbreaking
Jailbreaking is the process of removing the security limitations imposed by the operating system vendor. To “jailbreak” or to “root” means to gain full access to the operating system and features. This also means breaking the security model and allowing all apps, including malicious ones, to access the data owned by other applications. In brief, you never want to have root-enabled devices in your company.
5. Keep device operating systems up to date
This sounds easier than it actually is. In the Android ecosystem, updates can be blocked a number of ways: by Google (which updates the operating system); by the handset manufacturer (which may decide to release updates only for the latest models); or by the mobile provider (which may not increase bandwidth on their network to support updates). Without the ability to update your Android OS, your device is vulnerable to potential exploits. Research mobile providers and handset manufacturers to know which ones apply updates and which don’t.
6. Encrypt your devices
The risk of losing a device is still higher than the risk of malware infection. Protecting your devices by fully encrypting the device makes it incredibly difficult for someone to break in and steal the data. Setting a strong password for the device, as well as for the SIM card, is a must.
7. Mobile security policies should fit into overall security framework
IT needs to strike a balance between user freedom and the manageability of the IT environment. If a device does not comply with security policies, it should not be allowed to connect to the corporate network and access corporate data. IT departments need to communicate which devices are allowed. And you should enforce your security policy by using mobile device management tools.
8. Install apps from trusted sources; consider building an enterprise app store
You should only permit the installation of apps from trusted sources, such as Google Play and Apple App Store. However, companies should also consider building enterprise application stores to distribute corporate custom apps and sanctioned consumer apps. Your chosen security vendor can help set up an app store and advise which applications are safe.
9. Provide cloud-sharing alternatives
Mobile users want to store data they can access from any device, and they may use services without the approval of IT. Businesses should consider building a secure cloud-based storage service to accommodate users in a secure way.
10. Encourage users to install anti-malware on their devices
Although malware exists for iOS and BlackBerry, those operating system interfaces don’t support anti-malware. However, the risk of infection is highest for Android, where security software is already available. Make sure all your Android devices are protected by anti-malware software.