Smartphone Malware: A Threat Businesses Cannot Afford to Ignore
Smartphones have become an essential tool for modern businesses. Beyond basic communications, many organizations use smartphones to store and access even mission-critical data. Additionally, some organizations have bring-your-own-device (BYOD) policies, where employees can use their own smartphones, making security even more challenging.
Malware specifically aimed at smartphones is one of the biggest threats to these organizations. Despite this fact, many businesses do not put enough focus on smartphone security. According to the Verizon Mobile Security Index 2019 report, although 85% of businesses claimed they were doing what it takes to guard against smartphone malware, less than half of those respondents actually implemented the correct measures needed to keep their mobile devices safe.
This lack of urgency stems from a misplaced confidence influenced by the fact that apps on smartphones are usually loaded using app stores, which are largely more secure than the software distribution models used by desktop computers. However, the review process for these app stores is not foolproof. Both Apple and Google have had to remove malicious apps from their respective app stores.
To demonstrate the importance of smartphone security, in this article we will discuss a few examples of devastating malware attacks targeted at smartphones. Additionally, we will provide some best practices to help business organizations avoid falling victim to them.
While iOS devices usually get updated faster than Android devices, they are not immune to critical security vulnerabilities. A security researcher at Google publicized a vulnerability that can allow a hacker within Wi-Fi range of any Apple device to remotely compromise it. The bug has long since been patched, but more are certainly lurking in the shadows, waiting to be discovered.
In 2015, a version of Apple’s Xcode software development environment for Mac computers, infected with a malware called XcodeGhost, was spread throughout China, even ending up on third-party software distribution sites within China. Since Internet access to the outside world from China can be slow and unreliable, many users including developers download from these software distribution sites, which are much faster than downloading from sites outside of the country. As a result, the developers of several popular apps ended up downloading this infected Xcode version.
According to Kaspersky, XcodeGhost infected more than 40 high-profile apps including the Chinese version of Angry Birds, and WeChat. This malware opened up a malicious backdoor that could allow hackers to steal private information.
On the Android side, a University of Cambridge study found that nearly 90% of Android devices tested were vulnerable to at least one of 11 critical security vulnerabilities. A few years, ago the Stagefright vulnerability was estimated to allow 95% of Android smartphones—nearly a billion devices—to be compromised with a single text message.
In addition to security vulnerabilities in the Android operating system itself, Google continually removes infected apps from Google Play. In September, they took down 17 apps infected with the Joker/Bread malware, a plague that Google has been fighting since 2017. The Joker/Bread-infected apps steal text messages, contacts, and other information on the device. Additionally, they can send special SMS messages that sign the victim up for expensive carrier services.
Mobile Device Security Best Practices
The following are a few best practices which can help businesses reduce the risk of falling victim to smartphone malware.
Enforce Updates with an MDM Solution
Mobile device management (MDM) tools allow companies to automatically enforce restrictions and security features on managed mobile devices. Organizations absolutely must keep devices up to date if they want to avoid security vulnerabilities. By using MDM to ensure that every device is fully patched, smartphone malware that slips through the cracks will not be able to exploit any vulnerabilities.
Do not Allow Obsolete Devices
Old devices that no longer receive security updates should not be used with mission-critical data. Although, many perfectly functional smartphones are rendered obsolete because their manufacturers cease to provide software updates, the cost of replacing a device with a newer model might be far smaller than the cost of a data breach.
Stick to Reputable Apps
While it is not impossible for a very popular app to get compromised, most apps that are infected are usually not very popular or reputable. Companies can decrease their attack surface by encouraging employees to avoid lesser known apps. MDM solutions can also provide lists of installed applications to administrators for auditing.
In addition to avoiding sketchy apps, Android users should also make sure to stay away from third-party app stores. These stores are not subject to the same security restrictions that govern Google Play.
Take Advantage of Separation Features
MDM solutions on both iOS and Android can enforce company-managed apps, accounts, and even data flows. On iOS, proper use of these features can make it impossible to access company data in non-managed applications. That way, the negative effects of malware are limited.
On Android, work profiles provide very robust separation between work and personal data. Android can even separate personal and work calls and texts, preventing SMS-reading malware from accessing company data.
An Unavoidable Threat
While many businesses around the world take endpoint security seriously on their laptops and desktops, many do not put enough effort into maintaining the security of smartphones. With the increasing incidents of high-profile smartphone malware attacks, businesses cannot afford to ignore smartphone malware.
Fortunately, by following security best practices geared toward mobile devices, the risk of infection can be reduced. Additionally, by leveraging MDM technology, businesses can further defend themselves against malware.
With many years of experience helping companies manage their business IT security, Outsource IT is the perfect partner for your organization. From endpoint security to securing cloud services, Outsource IT can provide the right solution for your needs. Reach out to your Outsource IT account manager to learn more.