Mobile malware is increasingly sophisticated and as such presents a growing threat to organisations as well as consumers. The volume of malware targeting mobile devices in the UK quadrupled in 2015, with Q1 2016 already reaching 50% of 2015 numbers. CERT-UK assesses that the following factors should be taken into consideration when organisations review their mobile devices security policy;
- Mobile malware continues to target consumers but as the role of mobile in business grows, threat actors have identified mobile devices as a possible weak link in network security.
- Mobile devices can be targeted for a variety of reasons, including to monitor conversations, steal intellectual property and harvest financial details. However it is assessed that the greatest threat to organisations is the theft of network credentials and login details.
- Mobile malware is growing in sophistication, borrowing obfuscation and deployment techniques from traditional PC malware. This implies funding and development from advanced threat actors.
- Although mobile malware presents a risk to all sectors the majority of criminal activity is targeting the financial sector by spoofing mobile banking applications in order to steal user credentials. It is assessed that mobile devices will become a prevalent part of the attack chain in targeted attacks, especially as a means of harvesting user credentials
The threat to UK business
Mobile devices are now the most common means of accessing the internet in the UK. Smartphones have overtaken laptops as the most connected devices as of 2015 and a third of all web pages are accessed through a mobile device, making UK internet access the most mobile in Europe . Mobile devices are used to connect on social media, banking, shopping online and working on the move, making them critical to UK businesses. Personal mobiles are often as important to business as corporate devices, with four in ten UK employees using their personal mobile for work related tasks. As such all mobile devices have become increasingly connected to organisations networks.
Attackers follow the data, as more sensitive data is accessed by mobile devices, malware targeting this platform is also on the rise. Lookout data reports that the number of unique samples of mobile malware in 2015 was four times that which was seen in 2014, and this rate of expansion is expected to continue. In 2016, at the time of writing, there have already been twice as many unique malware samples as the same period in 2015.
The cost of a mobile infection to an organisation can be significant, with the average malware infection on a mobile device costing £6,400 4 to mitigate. However, the potential impact can be much greater in terms of cost, intellectual property theft, brand reputation and operational capability. Malicious actors now view mobile devices as a viable attack vector and the attacks have reached new heights of operational sophistication, which is likely to result in an increased security risk to UK business.
This report provides an overview of the mobile malware threat to UK businesses, outlining the threat vectors, targeted operating systems and key case studies. This report also includes advice to organisations on how to keep their devices secure and mitigate risk.
What is Mobile Malware?
Mobile malware is malicious software specifically designed to attack mobile devices such as phones or tablets. Whilst it often works in tandem with computer malware it can also operate entirely separately. Many of the threats are the same as might be encountered whilst browsing on a computer, however some threats such as those attacking applications, are unique to mobile devices.
Historically the majority of mobile malware targeted consumers, as they represented the largest proportion of device owners. As much of this was lower severity adware, riskware or chargeware, (the definition of which can be found in the appendix) mobile malware has been in the past, perceived to have limited impact on organisations. However this paper outlines how mobile malware can and does represent a threat to UK business.
What is the threat to UK businesses?
Traditionally the threat to UK businesses was aimed at the employee’s devices rather than networks. However, although end devices continue to be the target they may no longer be the ultimate goal of an attack. For example, adware, whilst continuing to target consumers has been observed exhibiting more sophisticated behaviour. Many attacks now seek to root, or gain high level privileges to the device in a trojanlike behaviour.
This means that although the attacker may initially focus on delivering adware if the method of monetisation were to change to exploiting an individual’s work emails, calls or messages, organisations could begin to be severely impacted by an attack initially directed at an individual mobile device.
The ultimate threat to an organisation is the compromise of corporate data, therefore businesses should be aware that this is likely to be the objective of some malicious actors. Employees use mobile devices and PCs in tandem, and it should be expected that threat actors will do the same, incorporating mobile devices into the attack chain, especially to target user credentials. It is important, therefore, that UK businesses are aware of the potential cyber risk to their organisations beyond traditional PC malware.
To read the full article, click here
If you want to learn about Cyber Security, check out our new Cyber Security & Privacy Essentials course below.
Thanks to the Gloucestershire Police for alerting us to this information.
Action Fraud is the UK’s national fraud and internet crime reporting centre, providing a central point of contact for information about fraud and financially motivated internet crime