Recent reports make it easy to continue the debate over the extent of the mobile malware threat, but only because...
they add to the confusion.
Kaspersky Lab released its "IT Threat Evolution Report for Q1 of 2015" Wednesday, in which it found the number of malicious mobile threats grew over the last quarter of 2014.
So what is the true nature of the threat?
Kaspersky Lab reports malware growth
While Kaspersky researchers noted a decline in malware compared to Q1 2014, two of the three mobile malware statistics in the report increased in the first quarter of 2015 over Q4 2014.
A total of 103,072 new malicious mobile programs were analyzed, more than three times the amount found last quarter. Additionally, the number of malware installation packages doubled in the same time period to nearly 150,000.
Despite the drop in the drop in the number of banker Trojans in Q1 2015 (it fell more than fourfold to 1,527), Kaspersky researchers found mobile malware was "evolving towards monetization" by using a variety of techniques including SMS Trojans, banker Trojans and ransomware Trojans to obtain money and user bank data.
Russia was hit hardest, researchers found, receiving 86.66% of all banker Trojan attacks, followed by Ukraine at 2.27% and the U.S. at 2.21%. When it came to overall mobile malware, Russia was attacked with 41.92% of the malware, followed by India with 7.55% and Germany with 4.37%; the U.S. came in seventh at 2.84%.
Other say mobile malware not a problem
According to the 2015 Verizon DBIR, mobile breaches "have been few and far between over the years. Adding dozens of new contributors didn't change that, and we've come to the same data-driven conclusion year after year: Mobile devices are not a preferred vector in data breaches."
The DBIR continues, "We feel safe saying that while a major carrier is looking for and monitoring the security of devices on its networks, data breaches involving mobile devices should not be in any top-whatever list."
In fact, Verizon researchers found that 95% of mobile malware showed up for less than a month, and four out of five didn't last beyond a week, which they attributed to malware "piggybacking on the short-lived popularity of legit [sic] games and apps."
In Google's Android Security 2014 Year in Review report released last month, researchers found fewer than 1% of Android devices were infected by mobile malware in 2014; in October that number dropped to .5%. Additionally, users that only installed apps from the Google Play Store had potentially harmful apps installed less than .15% of the time. Research from the report released last month also showed the installation of malware from outside the Google Play Store decreased 60% from the first to fourth quarter.
Advanced threat detection company Damballa Inc. released similar research. At RSA Conference 2015, researcher Charles Lever said users are more likely to get struck by lightning (.01%) than contact a mobile blacklist domain (.0064%).
Damballa researchers, which monitor 49% of mobile traffic data, observed more than 2.75 million unique hosts contacted by mobile devices.
Lever also equated mobile malware to Ebola, "Harmful, but greatly over-exaggerated and contained to limited percentage of the population that are engaging in behavior that puts them at risk for infection."
So what can be done to thwart any potential future mobile malware attacks?
"We are not saying that we can ignore mobile devices -- far from it," Verizon researchers said. "Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods that they're using now. When it comes to mobile devices on your network, the best advice we have is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly."
Being aware of the apps downloaded is also critical.
"By simply staying within the authorized app stores for their respected devices, (users) will drastically reduce the risk of being infected with mobile malware," Lever said.
Appthority President and Founder Domingo Guerra warned about "stale" and "dead" apps at the RSA Conference last month; stale apps are considered apps on devices that are not the current version, whereas dead apps are not even available in app stores anymore.
"Both can be risky because they don't have the latest security patches or vulnerability fixes from the developer," Guerra said. "Or in the case of dead apps, it's apps that could have been pulled from the app store by Google or Apple because the apps had malware or other privacy risks or the apps didn't comply with terms and conditions advertised to users. Yet users are never notified about those, so those apps are particularly worrisome because they remain on people's devices indefinitely, even if they are longer supported or offered in app stores."
While mobile malware statistics have swayed the debate back and forth over the years, many enterprises are certainly taking notice of the threat. Technology market research firm Infonetics Research reported in April that the worldwide mobile secure client revenue reached $1.97 billion in 2014, a 46% increase over 2013, largely due to the fact that consumers and enterprises are looking to secure both their devices and networks from the growing mobile malware threat.
In other news
- More than 95% of SAP systems contain vulnerabilities that could potentially lead to compromised data and the disruption of critical business processes, according to a study released Tuesday by researchers at Onapsis Inc. The Boston-based application security company analyzed hundreds of SAP implementations and hundreds of vulnerabilities to identify the top three SAP cyberattack methods, which include customer information and credit card breaches that pivot among SAP systems, customer and supplier portal attacks, and database warehousing attacks through SAP-proprietary protocols. "Information security professionals need to reevaluate how SAP is protected from cybersecurity threats," said Renee Guttmann, vice president, Office of the CISO at Accuvant Inc. and Onapsis advisory board member. Onapsis researchers also offered an action plan for CISOs, including three steps that should be adopted to maintain SAP security: improving visibility into SAP-based assets, using continuous monitoring to prevent security and compliance issues, and detecting and responding to new threats, attacks or user behavior anomalies as indicators of compromise.
- Researchers from ESET announced last week a family of spam-sending malware that has stayed out of the public eye for more than five years. Dubbed "Mumblehard" by ESET researchers, the malware targets Linux and BSD OSes and has two components -- a backdoor and a spam daemon. "They are both written in Perl and feature the same custom packer written in assembly language," the ESET blog post reads. "The use of assembly language to produce ELF binaries so as to obfuscate the Perl source code shows a level of sophistication higher than average." Researchers sinkholed the backdoor and, starting in Sept. 2014, collected seven months' worth of data, identifying nearly 8,900 unique IP addresses with Mumblehard behavior. The research concluded Web servers are most susceptible to Mumblehard, and its main purpose was to "send spam messages by sheltering behind the reputation of the legitimate IP addresses of the infected machines."
- Just days after CVE-2015-3459 -- a vulnerability that allows remote attackers to gain root privilege to a patient-controlled analgesia infusion pump -- was published on the National Vulnerability Database, Ponemon Institute LLC released its "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data" report, which found criminal attacks are up 125% over 2014, displacing lost laptops as the leading threat to healthcare data security. Forty-five percent of the 525 healthcare organizations surveyed said the root cause of their data breach was a criminal attack, 12% attributed them to a malicious insider. The survey also found 78% of healthcare organizations have experience Web-borne malware attacks. Despite these statistics, however, Ponemon researchers noted only 40% of healthcare organizations are concerned about cyberattacks. In the case of the hackable PCA infusion pump, the device does not require authentication for Telnet sessions, allowing remote attackers to control the device via TCP port 23. While it's not an overly problematic issue, it is a real threat nonetheless -- and could be a premonition of things to come as more connected devices enter the health realm. Such devices, Sophos Ltd. security researcher Paul Ducklin wrote in a blog post, should never use Telnet, never allow unauthenticated remote access or remote logins as root, and should receive full-network scans prior to release.
This mini learning guide has tips on bulking up mobile device security and preventing mobile malware