In a short time, Android has become the dominant platform in the mobile device market. Nearly as quickly, Android devices have become arguably one of the biggest (and most unchecked) enterprise information security risks.
Android devices have been flying off the shelves, and the most recent numbers from NPD Group Inc., Gartner Inc. and Canalys indicate that about half of all smartphones sold in the second quarter were powered by Android. That growth has been driven by the popularity of low-cost, high-functionality Android-powered devices from Samsung, Motorola, HTC and others.
But as SearchSecurity.com reported this week, that popularity among consumers has drawn the attention of attackers, too. New data from McAfee Inc. shows that there was more new Android malware in Q2 than new malware targeting all other mobile platforms combined. In the past month, a new Android Trojan root attack was discovered, another new Android Trojan was capable of recording phone calls and SMS messages, and a high-profile Android app was compromised and bundled with a Trojan. These incidents are just the tip of the iceberg.
Why does Android seem to be so much more vulnerable than the other popular platforms like iOS or BlackBerry? While a lot of security scrutiny tends to focus on Google’s easily accessible Android source code, a June research paper (PDF) from Symantec Corp.’s Security Response unit highlights the two biggest issues, both of which are related to the way in which the platform allows downloadable applications, or apps, to operate.
First, because there is no single vetting authority for Android apps (like the Apple App Store is for iOS apps), attackers can bundle malware with apps virtually unchecked. Second, even though each Android app is isolated from other apps and the platform itself via a virtual machine sandbox, a malicious app can be designed to confuse and manipulate device users into granting additional permissions, which an app can then use to pilfer data or conduct other nefarious activities without ever downloading malcode onto the victim’s device.
“The fact that you can get apps from anywhere with the Google Android platform -- what we call provenance -- definitely puts the platform more at risk,” said John Harrison, group manager for Symantec Security Response.
Harrison said enterprises must realize that Android devices -- and virtually any other smartphone -- now have all the same capabilities as a notebook or desktop computer, and in turn must be treated as if it presents the same level of risk.
Patrick Wheeler, senior product marketing manager for mobile solutions with Trend Micro Inc., said data from his organization shows that since the beginning of 2011, the number of Android malware instances has increased 1,400% percent. He said this malware is being delivered not only through rogue applications, but also often through the same sort of browser-based attacks used to deliver malware on a PC or laptop.
“There is enough sophistication now in the IT world for people to recognize that Android security can’t be treated the same way it is for iOS or BlackBerry, or Windows Phone,” Wheeler said, “but at the same time, there are ways you can mitigate those risks.”
So what does an enterprise information security team need to do to mitigate the increasing risk posed by employee-owned Android devices used to access email and other corporate systems and data?
Wheeler said enterprise should educate users on security best practices that would be applicable to any mobile device, including enabling power-on passwords, disabling Wi-Fi auto-connections and downloading applications only from trusted sources. He said that can then be augmented with Android-specific security technology like an endpoint agent or a more comprehensive mobile device management (MDM) product.
Policy is also critical. Harrison said enterprise security teams should develop secure usage practices that complement the common day-to-day business tasks for which employees use their smartphones and invite a variety of people into that policy development effort. He said IT security teams should consider worst-case scenarios and determine what technical means would be necessary to mitigate potential data loss or stolen devices.
Many experts believe the threat posed by Android devices is likely to get worse before it gets better, but both Wheeler and Harrison said Android is defensible. However, enterprises must understand that the rapid growth of the platform and the malware exploiting it underscore the urgency to defend Android devices vigorously. Even then, a successful Android defense demands not only a practical usage policy and user education, but also technical defenses that meet business needs and evolve along with the threat landscape.
About the author:
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can be heard on SearchSecurity.com's Security Squad podcast.