What do you use your phone for in a given day? Texting, checking the news, social media, banking, getting directions, playing games – most people will use their phones for all of this and more. At this point, they are an essential aspect of modern life. Due to all this activity, phones have become extremely rich sources of data – and hackers will always target data-rich devices. As a result, the amount of malware geared towards compromising mobile phones has skyrocketed. According to a report from McAfee, the amount of malware targeting mobile devices – including tablets - tripled from 2014-2015.
Mobile phone malware, like most malware, if overwhelmingly focused on making money for hackers. Ryan Olson, the Director of Threat Intelligence for Palo Alto Networks, told the Cipher Brief that “the vast majority of mobile malware is financially motivated, but we’ve identified multiple cases where surveillance was the goal.” This can manifest in a number of ways, from unwanted ads to theft of banking credentials to incurring charges for sending unwanted text messages. In addition to this, more phones are being targeted by ransomware - a type of malware that encrypts user data until a ransom is paid. Ransomware effectively allows hackers to force victims to buy back their data, or the use of their phones – and it is proving to be an effective moneymaking tactic. As a result, it is extremely unlikely that ransomware will go away any time soon.
In addition to causing problems at the individual level, mobile phone malware also has the potential to make trouble for businesses. Many businesses have adopted what is called a bring-your-own-device (BYOD) culture, in which employees bring their personal phones to work and connect them to the company’s wireless networks. While this makes life easier, it also introduces an element of risk by creating a vector for malware to spread from an employee’s phone to their employer’s systems.
Daniel Ford, a security engineer and forensic analyst at Rook Security, described this as “the biggest threat to a company’s environment.” However, he also noted that it is possible to defuse this threat by utilizing mobile device management solutions, which manage what mobile devices are allowed to do on a given network, or by limiting the networks to which employee phones can connect.
Despite the looming threats in this area, there are reasons to be optimistic about the future of mobile phone cybersecurity. According to Olson, “attackers are challenged by the fact that the major mobile operating systems remain significantly harder to infect in their default configurations than PCs.” This creates a greater natural resistance to new strains of malware.
At the foundational level, though, keeping one’s phone free of malware ultimately comes down to practicing good cyber-hygiene. For phones, this largely means avoiding suspicious third party apps which are an easy way for hackers to gain a foothold. Beyond this, there is an array of tools that organizations can use to protect their networks from phone-based malware, and a growing number of solutions to help individuals keep their phones safe as well. For now, it appears that while the threat is certainly growing, it is far from unmanageable.
Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.
