In our final post (at least for now) on security threats to mobile devices, lets talk about malware. For those of you who have heard the term, but don’t really know what it means (you know who you are!) “Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior.” Wikipedia – The Free Encyclopedia.
CNN, Work-issued mobile devices emerging as a key security risk, explained:
“Mobile malware can cause a number of serious problems. A mobile virus can drain your phone’s battery extremely fast, delete your personal and important business information and even render certain features completely nonfunctional. Not only can a virus disable a function on your phone – snoopware may also take control of it, turning your mobile device into a walking tape recorder. It can even turn your camera on, take pictures and display them online. But the nuisance of mobile viruses doesn’t stop there. A virus on your smartphone may send infected files to your contacts or transfer them to your computer when you connect or sync. . .”
In light of the threat of malware, companies should be thinking about privacy implications as well as protection of other confidential information. Consider health care providers who may use mobile devices to communicate with patients? What about your executive team corresponding about the final details of a critical deal? From a personal perspective, do you use your mobile device to access bank accounts?
According to McAfee Labs’ threat report, as quoted in Infosecurity.com, Mobile Malware on the Rise, the number of mobile malware threats has steadily increased over the last few years, with a 46% increase in the fourth quarter of 2010. Andrew Hayter, anti-malcode program manager with ICSA Labs, who spoke with Infosecurity.com, Malware – Arriving Soon on a Mobile Device Near You, expects an explosion of malware affecting smartphones and other mobile devices in the not-too-distant future.
“I’m not sure people are aware that their mobile phone is susceptible the way their PC is,” Hayter lamented. “This smart device they have in their hands now is a whole lot more than a phone, and it has a whole lot more computing power than they expect.” (Quoted in Malware – Arriving Soon on a Mobile Device Near You).
Because most consumers trust the safety of app stores, mobile phone applications present a high level of risk for devices used by businesses. “App stores are the greatest malicious software delivery method ever invented,” Rob Smith, chief technology officer of Mobile Active Defense reported to Infosecurity, Applications pose greatest security risk to mobile devices. Smith added, “[t]here have been an unbelievable number of examples of applications that are available for both Android and iOS that either are malware or behave differently than advertised.”
App stores frequently fail to vet software writers or test apps listed on their sites. Andrew Hayter reported that app stores, such as Google and Apple, simply wait for enough users to report an infection before taking action. At this point, businesses may have already suffered a breach, or the theft of confidential data.
(With this threat in mind, from a litigation standpoint, we anticipate discovery requests asking for mobile device security policies. Such a request might be used to defeat a claim that the Company is taking adequate steps to protect confidential or trade secret information. If you don’t have a policy in place, one could argue, that the information may not be that sensitive.)
Malicious applications take over a mobile device, operate undetected in the background, and wait. When the user supplies critical information, such as bank account user names, passwords or pins, the malware can easily disseminate the information to the cyber-criminals. To protect against these threats, security procedures for mobile devices need to address the risk of malware. Employees should also be careful about what apps they download on devices they use for work purposes. Just as IT is always reminding us not to click on attachments to suspicious email, employees need some guidelines and reminders on ways to keep their mobile devices secure.
Have you talked with IT to determine what risks might impact your mobile device users? Do you have those guidelines in place or from a security standpoint, will you be caught with your proverbial pants down?