November 7, 2019

Mobile phones are a critical part of our daily business lives, even non-company phones are used for work and company mobiles are certainly, frequently, used.

Infected applications and malware are increasingly targeted at mobile devices and can arrive at a user’s device by the simple downloading of an application. This malware can then infiltrate corporate networks or steal data, and this poses a significant cyber risk for businesses.

Using mobiles for daily tasks or as POS systems is dangerous

Smartphones are used daily in the workplace to open emails, store and access sensitive data, make calls, and are even used as point-of-sale (POS) devices to receive customer payments. Tablets are used in the same way, as we work towards digital transformation and the reduction of paperwork in our offices and environment.

SecurityMetrics writes that a mobile device, to be used for taking customer payments, costs less than a POS device. And, that:

“A company can save even more by implementing a BYOD policy.”

The cross-over between personal and business mobile use and the increasing use of mobile phones in the workplace, however, creates additional cybersecurity risk for companies. Smartphones and tablets are less secure than computers as standard. And, the security measures company’s put in place for their desktops and overall networks often aren’t expanded for mobile devices leaving them without firewalls, encryption, or antivirus software.

Mobile malware attacks are increasing

Check Point, as per ZDNet reporting, warned this summer of a 50% increase in mobile malware attacks this year compared to last. These cyber attacks are particularly focused on Android operating systems. Check Point believes one reason may be the increasing use of mobile banking, its director of threat intelligence and research, Maya Horowitz, says:

“The sharp rise in mobile banking malware correlates to the growing use of mobile banking applications.”

It’s worth noting here that from a business perspective, a mobile banking application is often a perfectly reasonable install for employees.

Mobile breaches can lead to data theft, surveillance, and the hijacking of devices

Mobile malware can steal data, conduct surveillance, and even perform malicious advertising. It can also hide undetected on devices for some time.

One common form of malware, accounting for 30% of attacks, called Triada, can allow attackers to take control of a device. It has also been discovered pre-installed on over 20,000 cheap smartphones, according to ZDNet. Horowitz advises:

“Users need to protect their devices with a holistic solution that blocks malware and network attacks, and prevents data leakage and credentials theft, without affecting the user experience.”

– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series

Antivirus applications might not be as safe as we think

Perhaps even more concerning, a Forbes report in August revealed that antivirus applications for mobile devices that had seen 28 million downloads themselves opened the door for cyberattackers.

Research by Comparitech found that such applications presented attack paths and opportunities for cybercriminals often via security flaws and vulnerabilities. Comparitech tested 21 Android antivirus applications and 47% failed in some way, its researcher Aaron Phillips said:

“We looked for flaws in the way each vendor handles privacy, security, and advertising. The results were eye-opening.”

The largest risk to businesses from breached mobile devices is that sensitive, company, or even customer data, could be directly exposed to cyber attackers and used fraudulently or in further attacks.

Application downloads are not the only attack vector for mobiles

Malware and other forms of attack reach mobile devices via application downloads, system vulnerabilities, phishing emails, the use of non-secure or public Wi-Fi connections, and even by text or voicemail phishing attacks.

Cybersecurity strategies must cover mobile devices and policies be put in place for safe mobile and tablet use. Additional antivirus, encryption, software updates, and vulnerability scanning might be needed. Furthermore, mobile device users need security awareness training so they know and understand the associated cyber risks. The use of public Wi-Fi, the downloading of applications, and opening emails safely, should all be key topics.

Google is working to prevent an estimated 30 million “bad” downloads increasing

Infected or malicious mobile applications are a major problem for mobile device security. Though businesses and users need to take their own actions to minimise risk, some responsibility lies with application stores where these “bad” applications can be found.

Google appears to be taking steps to purge malicious Android applications from Google Play Store. In an announcement Wednesday, reported by TechCrunch, Google has revealed it has partnered with three mobile security firms, ESET, Lookout, and Zimperium, “to stop bad apps before they reach users’ devices.”

Applications are screened by Google before they are approved to be listed on Google Play Store but still around 0.04% of all Android application downloads are potentially harmful – this equates to around 30 million potentially malicious application downloads to date.

Though applications are being regularly removed from Google Play Store, the issue is compounded by the fact those already with the application are often not aware of the issue and keep the application on their device.

Google, and its partners, plan to improve the screening of new Android applications to prevent malicious or infected applications reaching its store.

Your employees play a key role in helping to use technology safely, so why not help upskill them on the risks posed when using mobile devices? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: