Editor’s Note: Welcome to our weekly Reality Check column where C-level executives and advisory firms from across the mobile industry share unique insights and experiences.
The U.S. Department of Homeland Security recently circulated a report to government agencies including fire departments, ambulance services and police, warning of the risks of Android mobile devices.
This report states that 44% of users are actually running older versions of the Android operating system (2.3.3 through 2.3.7) and that these versions have many security vulnerabilities that have been patched in the latest 4.1 versions of the popular mobile operating system.
Seventy-nine percent of mobile malware targets the Android OS, while 19% target Symbian. Windows Mobile, BlackBerry, Apple’s iOS, and others all peg in at just less than 1% each. Nearly half of the malware targeting Androids abuse text messaging, either to intercept texts, such as those used by banks and services like Google and Twitter, or to send premium rate messages.
Rootkits are also prevalent in the Android world, allowing attackers to log keystrokes and passwords and install malicious software while remaining undetected. For example, the DHS/FBI document mentions that in late 2011, a well-known rootkit, Carrier IQ, was installed on millions of devices, including iPhones and Androids.
The report also warns of fake Google Play websites that encourage users to download malicious apps and content onto their devices. These imitation domains are created by cybercriminals, replicating the actual app store to deceive users into unknowingly installing fake and/or malicious apps.
So how can agencies and enterprises protect their mobile and remote workers from such threats? Interestingly, most people believe that antivirus products alone will protect users from malware, crimeware and zero-day attacks. However, according to Imperva, depending on which kind of antivirus software you are using, your daily detection rates and prevention rates can range from about 80% down to as low as 20% for fairly major commercial antivirus products.
Such products are important but will not completely protect users from getting infected. This is mainly because malware authors are cranking out new malware coding at an unprecedented rate. According to AV-Test Maps, most databases today have approximately 60 million malware samples in them, and the rate is increasing by about 10 million to 20 million samples per year. This includes polymorphic malware, where basically every single person that receives it gets a different, unique sample.
We often think of malware as primarily on the Windows PC operating system, but, as the federal report proved earlier, there is certainly malware out there for the Android and mobile operating environments. There are more than 12,000 different pieces of malware out there – a number which is increasing – for the Android OS alone. Android malware will install itself, taking control of your device (rooting the device, in security parlance), taking it over and then tracking data out of applications, monitoring network traffic, GPS information and even keystrokes and sending it to third-party servers.
As always, it is important to keep your OS up-to-date and to run a modern, dynamic cybercrime prevention security software and service. Particularly, the DHS/FBI also note in the report that only software updates approved by IT departments should be allowed, ensuring secure IT policies from back-end mobile device management and mobile security services.
In October 2012, industry analyst group Gartner warned that employee-owned devices are going to become infected with malware at more than double the rate of corporate-controlled computers. This is really a losing game. We don’t know what is on our employees’ personally owned computers, and we can’t enforce malware protection. Despite the fact that most malware/antivirus products are less than 100% effective and unmanageable, mobile device security systems are making it easier to defend against attacks.
The most effective way to prevent mobile and remote workers’ devices from infecting the corporate network is to isolate the browsing and app environment from malware completely using a mobile security solution. By doing this, a virtualized operating system is created. To access this system, mobile and remote users can download an app onto their PC, Mac, Android or iPhone, which can effectively isolate that device from malware that may be resident on the native OS.
As an example, let’s look at the Windows platform of such solutions; when you download the app, it basically installs what is effectively an NSA-hardened Linux environment in a virtual machine that fires up the browser, connects through the virtual private network, does authentication to the network and lets the user go to – for example, Salesforce.com or a private network through the VPN. If there is malware on their computer or they don’t have up-to-date antivirus signatures, it won’t matter, because they are running in a very isolated virtualized environment. It is one of the most effective ways to truly protect against malware, crime-ware and zero-day attacks on employee-owned devices that you do not control.
Let’s face it. We’re connecting to our corporate networks constantly on our own devices. People are working from home, working on the airplane and bringing their own computers to work. People want to login from anywhere, and the way to do it safely is in a virtualized secure environment.
Dave Jevans is founder and CTO of Marble Security, a mobile security cloud service that protects against the ever-changing threats unleashed into enterprises by mobile devices. Jevans also serves as chairman of the Anti-Phishing Working Group, whose members include Yahoo, EBay, Google and Microsoft.