Mobile device security threats are on the rise. In 2014, Kaspersky Lab detected almost 3.5 million pieces of malware on more than 1 million user devices. And as reported by IT Web, the number of new malware programs detected each day has reached over 230,000--many of which target mobile devices. Here’s a look at the top seven mobile device threats and what the future holds.
1) Data Leakage
Mobile apps are often the cause of unintentional data leakage. As noted by eSecurity Planet, for example, “riskware” apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security. These are typically free apps found in official app stores that perform as advertised, but also send personal—and potentially corporate—data to a remote server, where it is mined by advertisers or even cybercriminals.
Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags. To avoiding this problem. only give apps permissions they absolutely insist on, and forgo any program that asks for more than necessary.
2) Unsecured Wi-Fi
No one wants to burn through their cellular data when wireless hot spots are available—but free Wi-Fi networks are usually unsecured. According to V3, in fact, three British politicians who agreed to be part of a free wireless security experiment were easily hacked by technology experts and had their social media, PayPal and even VoIP conversations compromised. To be safe, only use free Wi-Fi sparingly on your mobile device, and never using it to access confidential or personal services, like banking or credit card information.
3) Network Spoofing
Network spoofing is when hackers set up fake access points (connections that look like Wi-Fi networks but are actually traps) in high-traffic public locations such as coffee shops, libraries and airports. Next, cybercriminals give the access points common names, like “Free Airport Wi-Fi” or “Coffeehouse,” which encourage users to connect. In some cases, attackers require users to create an “account” to access these free services, complete with a password. Not surprisingly, many users employ the same email and password combination for multiple services, allowing the hackers to compromise their email, e-commerce, and other secure information. In addition to using caution when connecting to any free Wi-Fi, never provide personal information, and if you are asked to create a login, always create a unique password, just in case.
4) Phishing Attacks
Since mobile devices are always powered-on they represent the front lines of any phishing attack. According to CSO, mobile users are more vulnerable, since they are often the first to receive legitimate-seeming emails and take the bait. Desktop users who only check their email once a day or every other day are often warned off by news sites or security bulletins before clicking through. Email monitoring is crucial. Never click on unfamiliar email links. On a smaller mobile screen, they can be even harder to verify. Always enter URLs manually to be as safe as possible.
According to eWeek, while many mobile users worry about malware sending data streams back to foreign powers or international cybercriminals, there’s a key threat closer to home: Spyware. In many cases, it’s not malware that users should be worried about, but rather spyware installed by spouses, coworkers or employers to keep track of their whereabouts and use patterns. Download a solid (and legitimate) antivirus and malware detection suite to help detect and eliminate these programs before they have a chance to collect your data.
6) Broken Cryptography
According to Infosec Institute training materials, broken cryptography can happen when app developers use weak encryption algorithms, or strong encryption without proper implementation. In the first case, developers use encryption algorithms that already have known vulnerabilities to speed up the process of app development, and the result is that any motivated attacker can crack passwords and gain access. In the second example, developers use highly secure algorithms, but leave other “back doors” open that limit their effectiveness. For example, it may not be possible for hackers to crack the passwords, but if developers leave flaws in the code that allow attackers to modify high-level app functions (such as sending or receiving text messages), they may not need passwords to cause problems. Here, the onus is on developers and organizations to enforce encryption standards before apps are deployed.
7) Improper Session Handling
To facilitate ease-of-access for mobile device transactions, many apps make use of “tokens,” which allow users to perform multiple actions without being forced to re-authenticate their identity. Similar to passwords, they’re generated by apps as a way to identify devices. Secure apps generate new tokens with each access attempt, or “session,” and should remain confidential. According to The Open Web Application Security Project, improper session handling occurs when apps unintentionally share session tokens with malicious actors, allowing them to impersonate legitimate users.
What the Future Holds
According to CXO Today reporting on recent Gartner data, the nature of mobile security threats isn’t undergoing a significant change, but the severity of the consequences is rapidly increasing. Pay close attention to these three key impact areas:
- Desktops. According to SC Magazine, a role reversal is in the works: Desktops and laptops connected to mobile networks are becoming increasingly responsible for infecting smartphones and tablets.
- BYOD. As users are granted high-level access from personal mobile devices, smartphones and tablets effectively take the place of desktops—but don’t offer the same level of built-in security or control.
- The Internet of Things (IoT). With the number of types of smart devices—from RFID chips to thermostats and even kitchen appliances—growing so quickly, they can’t always be monitored by users or antivirus solutions. As a result, hackers may use these IoT devices as entry points to networks at large.
Mobile device security threats are both increasing in number and evolving in scope. To protect devices and data, users must both understand common threat vectors and prepare for the next generation of malicious activity.