Bring-your-own-device culture is very convenient, but with a growing amount of malware targeting mobile devices, it is also creating new vulnerabilities. The Cipher Brief spoke to Daniel Ford, a forensic analyst at Rook Security, about the growing threat of mobile phone malware as it relates to businesses. His recommendation: limit network access and utilize mobile devices management solutions to help keep your data secure.
The Cipher Brief: How would you characterize the threat environment in regards to mobile phone malware?
Daniel Ford: The threat environment for mobile phone malware is increasing in risk everyday. There are several hundred different types of phones and many mobile OS’s out there with varying risks and vulnerabilities. The more that people use their phones and rely on them for banking, social media, emails, and other forms of communication, the larger the threat will be towards a company’s environment.
The increased risk of malware to the end-user also increases the risk to the businesses that they work for. Malware has always been a changing and adaptive landscape for attackers, but malware delivery into an environment can be very tricky if companies employ good security practices. But now there is a weak link in the chain: Bring Your Own Device (BYOD) policies. Many companies employ BYOD as a cost saver and a way to make the end-user happy. Unfortunately, this is can be hazardous if they let these devices onto the internal network. This is the biggest threat to a company’s environment, but luckily it can be avoided if you do not allow end-user phones onto the internal network.
TCB: How is the malware threat to mobile phones changing, and what factors are driving this change?
DF: The malware threat to mobile phones used to be malvertising, data mining, and other types of spyware. And even though these are still prevalent, attackers are starting to target the device itself rather than the data. They are doing this by holding the device for ransom by means of encryption. The main factors that are driving this are that, with the prevalence of ransom and the success rate of the attack, hackers see it as easy money. This type of ‘ransomware’ attack against mobile phones is still new and easy to fix, but the more attackers work on it and fix the bugs, the worse this kind of malware is going to get.
TCB: How has the cybersecurity industry responded to the growing amount of malware targeting phones? What more still needs to be done?
DF: The industry has made strides in the recent years with Mobile Device Management (MDM) and permission controls, but there is so much more that needs to be done. Most of the anti-virus solutions out there for mobile devices lack up to date definitions, which help detect the most current versions out there.
The biggest change that needs to occur is OS updates. This is by far the most critical area that is lacking on certain devices. The problem is that this kind of change needs to be performed by the mobile phone providers and phone manufactures. The best mobile devices that maintain patches regularly are those manufactured by Apple. This is because the hardware and software is made by the same company, making it easier to fix security vulnerabilities and send out an update to end-users. Unfortunately, most of the industry isn’t like Apple, which means it could take weeks or months before a security vulnerability is patched, leaving malware the opportunity to adapt and secure a foothold in devices.
TCB: What are some best practices businesses can implement to reduce the impact of this type of malware on their systems?
DF: There are several things a company can do to reduce the risk and impact of mobile malware on their environment. If you allow BYOD’s onto the network, put them on a separate network that can only reach the internet. So even if mobile devices are infected, they will not be able to infect your network and spread to other critical devices on the network.
If your company you has the ability, it should install a MDM solution or container for employees’ BYOD. This will limit the exposure to sensitive data that can be exfiltrated by malware. This can also let you install custom AV solutions and enforce security policies for mobile phones.
