Updated: 97% of malicious mobile malware targets Android

News by Rene Millman

While 97 percent of mobile malware threats aim at Android, iOS isn't left untouched

Malware targeting Android devices dominates mobile malware, according to a new report.The research, carried out by Pulse Secure, found that 97 percent of malware focuses the Android operating system. The reason for this was down to a number of reasons.

"Android applications continue to offer the lowest barrier to entry among all mobile device platforms currently available," authors of the Mobile Threat Report said.

"iOS and Android took two distinctly different approaches to their application stores. While Android began by cultivating an open ecosystem that would be largely policed by the Android community, Apple's App Store was tightly controlled with an upfront review process and strict terms of service that made it difficult for malware developers to get their wares into the App Store."

The research drew on data collected from more than 2.5 million mobile applications, according to the report.

“There was significant growth in Android malware, which currently consists of 97 percent of all mobile malware developed. In 2014 alone, there were 1,268 known families of Android malware, which is an increase of 464 from 2013 and 1,030 from 2012,” it said.

While Android suffered an onslaught from hackers, iOS users came off relatively unscathed. However, the report's authors warned that iOS threats were growing, despite only four attacks targeting jailbroken version of Apple's mobile operating system. In November of last year, non-jailbroken iOS devices were infected by a sophisticated Trojan. WireLurker was the first example of a non-jailbroken iOS device being infected by tethering to an infected Mac device.

Pulse Secure said that the figures were a wake-up call for enterprises considering BYOD.

"Enterprise networks, while continually hardened at the perimeter, need to apply similar mobile security controls to appropriately deal with the ever increasing BYOD push coming from employees," said Troy Vennon, director of the Pulse Secure Mobile Threat Center and author of the report. "The focus on Android and jailbroken iOS devices by mobile malware developers illustrates that they are actively attempting to exploit mobile devices as the weak link in enterprise security."

Mark James, security specialist at ESET told SCMagazineUK.com that the usual source of malware was Middle East and Asian third party app stores. “These produce enough malware in the form of fake or compromised games to flood the market and skew the figures. The Android user has a much bigger opportunity to download apps from unknown or insecure markets it's bound to have an impact on its security,” he said.

Ken Munro, senior partner at Pen Test Partners told SCMagazineUK.com that the open source nature of Android enabled “app developers to quickly code and launch apps but saw quality control go out the window”.

“Common coding flaws, as the name suggest, are repeatedly used, and can range from DIY certificates to overly permissive permissions to poor encryption and key management. We frequently find mobile apps that don't encrypt the traffic between the mobile app and the services they consume, for instance.

“Yes, SSL and TLS have their challenges, but that's no excuse not to implement them. There is a real need to seriously appraise the security implications of such practices that are fast becoming accepted shortcuts,” he said.

Munro added that permission creep was a problem and by being overly permissive, many apps have created a wider attack surface.

“This is the developer trying to safeguard future app revenue by ensuring it will have as wide an access as possible to the personal information of the user. Everything from access to your contacts, to your emails, your location, your texts and even your voice commands is up for grabs,” he said.

Ciaran Bradley, chief product officer at AdaptiveMobile, told SC that there was a philosophical difference in business models between Apple and Google. Apple runs a completely locked down ecosystem where it has complete control over what a user can install on their own phone.

“Google gives people a choice, and with that choice comes responsibility,” said Bradley. “They recommend that people always stick to official channels such as Google Play when downloading apps but they do give people the choice to install apps from other sources. Bad actors will try and get people with Android phones to install malicious apps on their phones using social engineering techniques.

Konrads Smelkovs, manager of KPMG's Cyber Security practice, told SCMagazineUK.com that the Android operating system isn't particularly less secure or leaky. “Much security development is done with it and if users don't download ‘free games' and ‘cool tools, the security for most applications is at an acceptable level”.

"For businesses looking to use Android securely, they need to deploy third party mobile device management software. This software implements additional restrictions and often wraps an extra security layer around company data using encryption, detection of jail breaks and other means."

Munro added that if an organisation does have an MDM product, it should check how it operates.

“If it works by policy enforcement, then you are at the mercy of the handset manufacturers approach to security. Vanilla Android encryption is pretty weak. The older the handset, generally the more insecure it will be. It may be that the handset manufacturer has implemented better encryption, but if you don't verify this carefully, then your corporate data might be toast,” Munro warned.

David Kennerley, senior manager for Threat Research at Webroot, told SC that BYOD will always add another potential access point to a network that an attacker could target.

“Like with any device on a network, threat protection should be installed and kept up to date. Communication between the organisation and its employees is also vital – the risks and potential consequences need to be understood by employees, but organisations need to understand and respect the now slightly blurred boundary between personal and private.” He said.

Nick Cook, chief innovations officer at Intercede told SC that protecting against malware and spyware is possible on many Android devices by making use of the right features of the phone.

“The Trusted Execution Environment (TEE) offers hardware-based security, and is baked into over 350 million Android handsets at the point of manufacture. It allows critical data to be protected from the main OS and malware threats. Using a Trusted Application Manager (TAM), a developer can harness this TEE security in a simple way to keep corporate and confidential data safe,” he said.

“This technology is already being used by big Enterprise Mobility Management companies to enable businesses to roll out BYOD on Android devices.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews