Vulnerabilities, Exploits and Malware are alive and well on mobile devices. Here is an article from Tabb Forum that outlines some examples.
The reason is that users change their devices frequently (from loss or the need to upgrade), they load & update apps frequently, there are less mature controls to manage mobile than there are laptops/desktops/servers, and mobile devices have less CPU/Memory/Storage so it’s difficult to have a rich security subsystem layered on the device without impacting the performance of the device. On top of all this there has been a big move in the marketplace to allow employees to bring their own device to work (BYOD).
If your company isn’t creating a mobile use policy, educating employees on the appropriate use of mobile within the workplace and using a rich set of tools to manage your mobile devices, applications and data then you may have big issues.
A mobile device is a computer and can be exploited in the same manner--A mobile phone however also has the additional ability to make calls, use video, leverage a GPS and send SMS messages.
Given the broad use of app’s on mobile phones cybercriminals have been including hidden (obfuscated) malicious functionality in apps that can allow bad actors to:
- Perform surveillance on you and your company (they get access to the devices Audio, Camera, Call logs, Location, SMS message logs etc.)
- Steal you and your companies data
- Load botnets that can do denial of service, click fraud etc..
- Make calls and send SMS messages
- Impersonate you
Inevitably, Google’s Android platform has become a much greater target for mobile malware writers than Apple iOS because, unlike Apple, it does not employ a walled garden policy with regard to apps. It’s also significant that Android has a large proportion of the mobile market. (Market-share data here)
Here are 7 Tips to Prevent Mobile Malware
- Train your users about mobile risks - A mobile device is a computer and should be protected like one. If the user accesses the corporate network with their mobile device they should understand the risk imposed by downloading applications and accessing website that are not from trusted sources. The user needs to also know the value of keeping their operating system on the device up to date with the latest security patches from the manufacturer/mobile provider and operating system vendor.
- Only access corporate data via Wi-Fi over a secure tunnel as over the air networks are exposed to malicious capturing of wireless traffic. There are several mobile Virtual Private Networking technologies (VPN) that can be deployed that can allow users to connect through these secure tunnels.
- Establish and enforce Bring Your Own Device to work (BYOD) policies
- If possible leverage a Mobile Device Management (MDM) platform and Mobile Application Management Platforms from companies like Good and others.
- Encrypt your devices - It is very difficult for someone to break in a steal data on an encrypted device (this goes for the SIM card as well).
- Add mobile security policies into your overall employee security framework. More here and read the US government’s version here. You and/or your IT department needs to communicate which devices are allowed in your policies and you should enforce your security policy by using mobile device management tools.
- Ensure all your Android users are protected by anti-malware software.