Q&A: Best Practices for Avoiding Mobile Malware

Mobile devices are bombarded by direct attacks and those designed for any Web-connected device. We explain best practices for end users and best practices for IT that can protect against these attacks.

Mobile devices are the targets of attacks written just for them, as well as the myriad of vulnerabilities they’re exposed to simply by connecting to the Web or accessing e-mail. We explore the nature of these threats as well as what IT and end users can do to prevent them with Troy Gill, a security analyst at AppRiver responsible for analyzing data regarding cyber threat tactics, methodologies, and vulnerabilities that present threats to IT operations.

Enterprise Strategies: How does the popularity of mobile devices change the way companies handle security?

Troy Gill: It adds another layer of responsibility for companies and their employees. The proliferation of mobile devices that possess the same relative capabilities as the PC is adding another vector of attack for cybercriminals looking to take control of your data. This should be taken into consideration when developing and implementing security policies.

What are the most prevalent types of attacks directed at mobile devices?

Today, malware is all about stealing personal financial data or sensitive corporate data. The most popular attack is the installation of a Trojan Horse. In fact, some recently reported threats from McAfee involved two Trojans circulating on mobile devices: SymbOS/Zitmo and Android/Geinimi.

In addition, phishing sites accessed via mobile browser have proven very effective against smartphone users. Studies have shown these types of attacks are more effective when viewed on a mobile device versus a desktop or laptop PC because smartphone users are less likely to notice the URL they are visiting on their mobile device. Another possible explanation is that users are simply more alert to information theft when using a desktop/laptop and have a false sense of security when browsing via smartphones.

Are there any special problems with a particular mobile platform?

According to recent studies, Symbian remains the most targeted for malware due to its market share. However, Android infections have been growing rapidly. Android’s open source software is something that gives the platform great appeal, but is also the basis of its vulnerability. Although users enjoy the freedom to acquire apps from inside and outside the Android Market, it doesn’t come without risk. The Android Market allows developers to upload apps without first running through an established screening process. This resulted in the detection of more than 50 malicious apps within the Android Market, downloaded to some 260,000 Android mobile devices. Google later remedied the infections remotely via an auto installed software update.

What are some of the more challenging aspects to keeping customer and employee data safe in a mobile environment?

In most cases, this adds more responsibility to an already-overburdened IT department. The creation and enforcement of at least some corporate-wide security policy is a step in the right direction. Additionally, the lack of awareness of these threats must be taken into consideration with mobile devices. Many have learned where the risk lies on a PC but are unaware that the same risks exist on their mobile device. This is where some basic security training could go a long way.

How has IT been addressing these mobile security challenges?

There are many different things that can be done to tighten down security on mobile devices For example, BES (Blackberry Enterprise Server) software and (provisionable) ActiveSync devices can be configured for policy management. This can effectively enhance mobile device security. BES has hundreds of policies that can be controlled and used to help to lock down devices, such as passwords and password policies, device encryption, remote data wipe, Web browsing, installed applications and application specific settings, controlling device hardware (i.e. Bluetooth, camera, GPS), employee monitoring (txt, GPS), or Smart cards.

What are some best practices that users can implement to keep themselves safe from mobile malware?

Here are some of the things users need to keep in mind:

  • Safe browsing habits: Remember the same dangers on the Web can exploit your mobile device. Remain vigilant about Web surfing habits.
  • High-risk apps: There is an alarming number of apps available that pose significant security threats, some of which can allow other programs to access valuable information.
  • SMS or VM phishing: SMS and voice-mail are common vectors of attack for phishing scams. Always call the institution directly and verify the information when responding to a questionable voice-mail or text message, even if it seems legitimate.
  • WiFi hotspot security: Nearly all smartphones are now equipped with WiFi functionality, making them highly vulnerable to attacks. Avoid accessing any password-protected site when connected to an unsecured WiFi hotspot.

What are some best practices that IT can implement to keep users protected and keep their data and network assets safe?

Here’s what IT can do:

  • Conduct awareness training: Ensure that users within the company are aware that these threats exist and how to best avoid them.
  • Employ anti-virus software: Utilize this software on your mobile device just as you do on your desktop or laptop.
  • Enforce password protection: Lost or stolen phones likely contain personal information, such as stored logins to banking or social media sites, and could provide someone with access to sensitive company e-mail. This threat can be minimized by company-enforced password protection on mobile devices.
  • Implement VPNs: When accessing corporate network resources via smartphone, utilize a SSL VPN connection to secure the session.
  • Enable remote wipe and encryption: Utilize encryption software on smartphones to protect data if the device is lost or stolen. Consider using a remote wipe to brick the device remotely.

What role does AppRiver play in mobile security?

AppRiver is an Exchange Hosting provider that allows seamless syncing with mobile devices. Depending on the device, AppRiver can provide a variety of security controls on an enterprise’s devices, such as password policies and remote data wipe, among others. AppRiver’s Exchange Hosting also includes the SecureTide spam and virus protection. This service protects a user’s inbox from the type of phishing attacks we discussed that are so effective when accessed via a mobile device.

Must Read Articles