Malware targeting Android devices dominates mobile malware, according to a new report.The research, carried out by Pulse Secure, found that 97 percent of malware focuses the Android operating system. The reason for this was down to a number of reasons.
"Android applications continue to offer the lowest barrier to entry among all mobile device platforms currently available," authors of the Mobile Threat Report said.
"iOS and Android took two distinctly different approaches to their application stores. While Android began by cultivating an open ecosystem that would be largely policed by the Android community, Apple's App Store was tightly controlled with an upfront review process and strict terms of service that made it difficult for malware developers to get their wares into the App Store."
The research drew on data collected from more than 2.5 million mobile applications, according to the report.
“There was significant growth in Android malware, which currently consists of 97 percent of all mobile malware developed. In 2014 alone, there were 1,268 known families of Android malware, which is an increase of 464 from 2013 and 1,030 from 2012,” it said.
While Android suffered an onslaught from hackers, iOS users came off relatively unscathed. However, the report's authors warned that iOS threats were growing, despite only four attacks targeting jailbroken version of Apple's mobile operating system. In November of last year, non-jailbroken iOS devices were infected by a sophisticated Trojan. WireLurker was the first example of a non-jailbroken iOS device being infected by tethering to an infected Mac device.
Pulse Secure said that the figures were a wake-up call for enterprises considering BYOD.
"Enterprise networks, while continually hardened at the perimeter, need to apply similar mobile security controls to appropriately deal with the ever increasing BYOD push coming from employees," said Troy Vennon, director of the Pulse Secure Mobile Threat Center and author of the report. "The focus on Android and jailbroken iOS devices by mobile malware developers illustrates that they are actively attempting to exploit mobile devices as the weak link in enterprise security."
Mark James, security specialist at ESET told SCMagazineUK.com that the usual source of malware was Middle East and Asian third party app stores. “These produce enough malware in the form of fake or compromised games to flood the market and skew the figures. The Android user has a much bigger opportunity to download apps from unknown or insecure markets it's bound to have an impact on its security,” he said.
Ken Munro, senior partner at Pen Test Partners told SCMagazineUK.com that the open source nature of Android enabled “app developers to quickly code and launch apps but saw quality control go out the window”.
“Common coding flaws, as the name suggest, are repeatedly used, and can range from DIY certificates to overly permissive permissions to poor encryption and key management. We frequently find mobile apps that don't encrypt the traffic between the mobile app and the services they consume, for instance.
“Yes, SSL and TLS have their challenges, but that's no excuse not to implement them. There is a real need to seriously appraise the security implications of such practices that are fast becoming accepted shortcuts,” he said.
Munro added that permission creep was a problem and by being overly permissive, many apps have created a wider attack surface.