Dang. Now mobile phones have viruses and malware too. One more challenge for BYOD.

One of the topics that's come up for discussion a bit in the past few years is about malware (viruses, software to steal your contact info, etc.) for mobile phones.

One of the topics that's come up for discussion a bit in the past few years is about malware (viruses, software to steal your contact info, etc.) for mobile phones. This is especially an issue for BYOD environments because the mobile phones that users select might not have the same security standards that IT would prefer. (Or, maybe they *could* be secure, but since the users are admins then they just install insecure apps. And in many cases they don't even know it.)

Some people argue that malware isn't really a big issue in mobile phones because the phone makers have app stores with verified apps, so it's unlikely that users will find apps that are dangerous. But remember that it's possible to configure a Blackberry, Android, or Windows phone to get apps from locations other than the official app stores, and who knows what those apps can do? (And even Apple, who forces users to use only their App Store, had an issue with security where a specially-crafted PDF that was downloaded could wipe the phone.)

Of course some people argue that users need to be trained not to visit dangerous websites so that they're not exposed to these potential threats. But have you considered that it's easy to send a user to a "random" website by embedding in into a QR code?

Fun QR code

Seriously, how many people just blindly snap pictures of these and are whisked away to whatever site is on the other end, complete with malware, fake app downloads that look real, and phishing websites. (Newer QR code readers show the user a preview of the URL before they visit it, but I'm not sure that's enough for regular users. Personally I like Norton's free QR reader that runs the URLs through their threat analysis cloud and gives a big green "SAFE" label before the user continues. Even my mom could understand that!)

And antivirus software isn't nearly as sophisticated on mobile devices as it is on real computers. Part of the problem is that mobile operating systems have special rules for how their apps can run and what they can do, and these rules apply to the antivirus software too! So for example, you might be able to get an antivirus app for your iPhone, but it will only scan email attachments that you specifically send to it--it's not going to just work in the background and san everything automatically.

The problem with mobile phones is that they have a lot of personal data on them, including where you are. They're in your pocket at all times and they have cameras and microphones in them. A compromised mobile phone has virtually unlimited value to an attacker, and a user only has to be tricked once to give a bad app permissions to do whatever it wants.

While the best advice from the analysts is to just download apps from the official app stores (and to not jailbreak your iOS device), what can you to as an IT professional? Do you lock the phone up and not allow the users to do anything? Do you look for an MDM or BYOD solution?

Long term this shows the viability for real software that can separate the user environment from the work environment. I don't know if that's as intense as VMware's Horizon Mobile or something like what Blackberry is doing in their Playbook 2.0 software. But I do know that having all that corporate data on devices with end-user admin rights makes me nervous. Now what?

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Good post, Brian. At Symantec we’re definitely seeing an increase in both the amount and sophistication of mobile malware, though it should be no surprise that we’re not at PC-levels just yet. The fact of the matter is – as you eloquently point out – modern mobile devices store and access tons of sensitive personal and business information and cybercriminals are doing their best to figure out how to get at it. On top of this, the core functionality of the devices themselves can be exploited by mobile malware, as in the case of premium number SMS scams. In fact, we just recently blogged about a premium number SMS scam that was netting the attacker(s) between $1,600 to $9,000 on average per day (https://bit.ly/yFQ6vh) at the expense of either users themselves or companies footing the phone bills for their employees. In short, despite what some may say mobile malware is a legitimate concern that every organization needs to address.

Spencer Parkinson