As we wrap up our series on reviewing mobile security data to really understand the landscape, this week we turn to Zimperium for some data around their customers. We’ve previously looked at data from Lookout and Google, Wandera, Check Point, and Symantec.
Zimperium data dive
Much of the data for this article comes from Zimperium’s quarterly global threat reports published between 2017 and 2018, along with some additional data they provided me. Most of the data comes from internal analysis of their enterprise customer base, which Zimperium says are fairly security conscious in COPE and BYOD situations.
Learning more about sideloaded apps in the enterprise has been on our mind after learning just how easy it is for both Android and iOS to install them. In a call with Mike Cramp, senior security researcher and Matteo Favaro, malware analyst, explained that about 10% of devices (between both OSes) in a 200,000 device sample installed a sideloaded app, with about 56,000 sideloaded app installations in all (indicating many devices sideloaded several apps). This was just over Q3 2018, too.
According to Zimperium’s Global Threat Data from Q3 2017, 24% of organizations at the time suffered a what they called a “mobile security breach.” They define a breach as events where confidential or protected data is accessed or disclosed in an unauthorized fashion, and said that this often happens due to malware and malicious Wi-Fi.
Their definition of this stat is a little different from those that we’ve heard from other vendors, so how does it fit in? Zimperium didn’t go into any more detail about their definition, so for more context, we’ll point out that a per-organization incident rate means that it happened at least once out of what could be any number of users. Of course, in some cases, it only takes a single incident for an organization to end up in the headlines or face fines. On the other hand, unauthorized access to data can mean a lot of things, and include relatively benign incidents, like a third-party app accessing corporate contacts.
From their Global Threat Report of the first half of 2018: 3.5% of devices within an internal network that had the zIPS apps (Zimperium’s agent) detected a rogue access point, with nearly 2% of devices connecting to a rogue access point.
What exactly is this? The most commonly accepted definition is (1) an unauthorized access point connected to a secure network, such as employee plugging in their own router to connect wirelessly to internet, or (2) a masquerade or evil twin attack, via SSID/BSSID. Keep in mind that this is data for a six-month period, and that a typical device encounters many, many Wi-Fi networks in a day.
Malware and app-based threats
What does Zimperium report for malware? From their Global Threat Data report of Q2 2017 (this data is a little old now, but still worth mentioning), malware is found on less than 1% of enterprise devices.
From the more recent global threat report from first half of 2018, data shows that malware is more often found on Android devices than iOS. About 3.5% of Android devices had malware inside apps, with 80% of that malware having access to internal networks and actively scanning for nearby ports. Meanwhile, only 0.1% of iOS devices had malware delivered via apps.
Returning to data from the Q2 2017 report (which contains data spread across business and consumer users), 2.2% of iOS apps scanned (50,000 in total, both from app stores and those found already installed on users’ devices) by zIPS contain privacy or security issues (this could be malware, keychain sharing, MD2 encryption, etc.). The 1,101 problematic apps, according to Zimperium researchers, were then downloaded more than 50 million times overall.
The plurality of threats that Zimperium monitored during the 45-day period collected in July 2018 from a sample of 200,000 devices, showed about 68,000 devices experienced over 135,000 events that were classified as device-based threats, including device jailbreaking or rooting, system tampering, and abnormal process activity.
About 44% of the threats from this particular data set were device-based; rest of the breakdown was 42% network focused and 13% were suspicious Android apps.
Breaking down the device-based threats , the plurality of events were classified as an abnormal process activity (42%), but this affected a surprisingly small amount of devices (only about 15% of total unique devices experienced this or about 3% of the total sample). Meanwhile, jailbreaking or rooting of devices accounted for about 33% of total device-based threats, but about 51% of unique devices.
How are customer devices doing with OS updates? From their 2018 global threat report, only 51.9% of iOS devices in managed environments had the latest OS update (11.4 at the time). The remaining devices were either running 11.3 (26.5%) or 11.2 or older (21.5%). One thing to note is seasonality could affect these numbers, and that 11.4 was only out for about a month before the data was collected.
For Android, the numbers were more split between multiple OS versions, with the majority at the time still running Android 6 (or Marshmallow) at 65.7%. From there, 16.4% were running Android 7 (Nougat); 13.8% on Android 8 (Oreo), which was the latest version at the time; and 4% ran Android 5 (Lollipop) or older.
Our mobile security data review is now complete
And with that, our review of available data is done. We’ll return with a final article on what we learned from all the data the five security vendors provided and close the door on this mobile security project. I hope you’ve enjoyed seeing the presented data, too!