Don't be a victim of mobile malware: tips for enterprise users
With smartphones continuing to proliferate and applications becoming a part of everyday life, finding the right security options is becoming harder and harder.
In the recently released 2011 Mobile Threats Report, Juniper Networks Mobile Threat Center revealed that from 2010 to 2011, there was a 155% increase in mobile malware across all mobile device platforms.
Helping customers resolve this will be of crucial importance, particularly as the majority of UK & US mobile phone owners now have a smartphone, according to new research from Kantar Worldpanel ComTech.
So, what are the best ways of tackling this new wave of malware? Here are five suggestions to help you on your way:
1. be wiser in the app store and stick to the brands you know
A new attack method dubbed "Fake Installers" was the fastest growing type of malware found in 2011. Fake Installers trick victims into unknowingly paying for pirated versions of popular applications that are normally free. Much like the look and feel of spam email, if it looks too good to be true, it generally is. This usually involves asking for a number of permissions that are over-reaching, dubious or unethical. The European Network Information and Security Agency (ENISA) has also published data detailing just how easy it is to unconsciously download a Trojan from an official app store.
Enterprises should restrict app downloading privileges where possible and users should stick to official brands and trusted developer names, minimising the risk of infection. Users should only log into an app when they are sure that it is authentic and it has asked all the relevant security questions first.
2. beware of SMS messages from strangers
SMS Trojans, which according to Juniper MTC research, account for 36% of known mobile malware, run in the background of an application and clandestinely send SMS messages to premium rate numbers owned by the attacker. The idea is that the malware tricks users into agreeing to automatically send premium text messages to attackers when downloading either pirated versions of paid applications or competitions, social media links or banking pages etc.
In G Data’s latest Malware Report on current threats for Internet users and PCs, it warns: “Criminals are increasingly using SMS as a medium for payment services and they are thus becoming ever more attractive. In some countries, they can anonymously sign up for expensive premium SMS numbers and thus incur large phone bills from SMS subscriptions for victims.”
Enterprises should enforce blocks on HTML messages where appropriate and limit SMS content to known contacts only. Being able to clamp down on premium Trojans before they infect a device and siphon billing fees will help maximise cost efficiencies and avoid the need for later restoration. Operators will also stand a fighting chance of being able to block certain communications with earlier reporting and subsequent prosecution to follow.
3. take care with social media on enterprise devices
In a recent M86 Security Labs Report, the security vendor warns that fake social media notifications are now a mainstream way for spammers to dupe users into clicking links which then spread virally by enticing users to share posts that promise gift cards or other rewards. These hacked, but otherwise legitimate, mobile websites subsequently played a major role in distributing spam and malware by redirecting browsers to the ultimate destination.
Enterprises should draw up a strict social media policy and apply mobile access regulations onto it, so that domain administrators can turn off particular services or restrict a user’s ability to move data to or from the organizational account. Where applicable, employees should be able to use it to communicate with colleagues/customers for the benefit of getting the job done. However, access to links posted on the site should be tightly controlled to prevent sensitive information becoming at risk and adequate virus protection should apply to devices as it does computers.
4. keep device operating systems fully updated
Users should regularly sync their devices to ensure operating systems are as up-to-date as possible to avoid issues that have otherwise been resolved in the latest update. Apps should also be updated frequently, but users must read the terms and conditions of an update before they click OK and begin the download.
Enterprises should enforce strict security protocols around such updates and where possible, use a SSL VPN client to ensure it is safe and will not place any risks on its data in transit. Appropriate network access and authorisation limits must also be set, so that IT departments are aware of dangers before allowing a user to upgrade accordingly.
5. protect data in the advent of lost or stolen handset
A recent report by analysts Canalys found that 86% of SMEs have no company-wide smartphone security in place and therefore put sensitive data at risk, if handsets are lost or stolen. One wonders if larger enterprises are much better.
Rather than simply wiping and replacing, Juniper’s statistics detail how more users are locking their device and using the location tracking features to recover, rather than replace, their device.
Enterprises must become tougher with policies around smartphones, and ensure that sensitive data is securely stored in locations which cannot be infringed by any external source.
Are you prepared?
photo © mipan - Fotolia.com