If there is one issue that keeps IT managers up at night it is security. In fact 42% of organisations surveyed for Symantec’s 2010 State of Enterprise Security survey ranked cyber security as their top risk, beating out traditional crime, natural disasters and terrorism.
Mobile devices such as tablets and smart phones are now ubiquitous in the enterprise. Whether they’re owned by the business or the employee these personal devices are finding their way into the workplace. Analyst firm Gartner predicted that by the end of 2010 1.2 billion people would be using mobile phones capable of robust internet capability.
Mobile devices can supercharge businesses, enabling employees to effectively work regardless of location. However, as they become more widespread, they become more attractive targets for cyber criminals.
According to Mocana, 47% of organisations do not believe they can adequately manage the risks introduced by mobile devices, and more than 45% of organisations say security concerns are one of the biggest obstacles to rolling out more smart devices.
Threats to mobile devices
The latest volume of Symantec’s Internet Security Threat Report, released in April, looks at the trends in Internet security that emerged over 2010, one of which was attackers targeting mobile devices.
In 2010 mobile platforms became widespread enough to warrant the attention of attackers. Attacks on these platforms will only increase as smartphones and tablets prove themselves essential business tools.
Over the year the majority of malware attacks against mobile devices were Trojan horse programs that pose as legitimate applications. While attackers generated some of this malware from scratch in many cases they infected users by inserting malicious code into existing legitimate applications.
The Pjapps Trojan for Android devices was one such threat. Users spotted that something was amiss when the application requested more permissions that should have been necessary. Most Trojans for mobile devices simply dialled or texted premium rates numbers from the phone. Pjapps also attempts to create a bot network out of compromised Android devices. The command-and-control servers that Pjapps is programmed to contact appear to be inactive now but the attempt to create a botnet out of mobile devices demonstrates that attackers are actively researching these devices as a platform for cybercrime.
Attackers distributed many of these tainted applications through public app stores. In March 2011 Google reported that it had removed several malicious Android applications from the Android Marketplace.
The security architectures used in mobile devices these days are at least as effective as those in desktops and servers, but attackers can often bypass these protections by attacking vulnerabilities inherent in the mobile platforms’ implementations. Unfortunately there are many flaws that attackers can exploit: Symantec documented 163 vulnerabilities during 2010, which could be used by attackers to gain partial or complete control over devices running popular mobile platforms. Already in 2011 attackers have leveraged these flaws to infect hundreds of thousands of devices.
For example there were two vulnerabilities that affected Apple’s iPhone iOS operating platform that allowed users to ‘jailbreak’ their devices. Jailbreaking a device through exploits is not a world away from using exploits to install malicious code.
The number of immediate threats to mobile devices is relatively low in comparison to threats targeting PCs, but as more users download and install third-party applications for mobile devices, the possibility of installing malicious applications also increases.
Making money from cybercrime
Cybercrime is a business and most malicious code now is designed to generate revenue. As people increasingly use these devices for sensitive transactions like online shopping and banking, there will be more threats created to target tablets and smart phones.
Some of the first threats of this kind to arrive will likely be either phishing attacks or Trojans that steal data from mobile devices. Since such threats already exist on PCs, adapting them to mobile devices will be no stretch for cybercriminals. For example, as mobile devices introduce new features such as wireless payments, it is likely that attackers will attempt to find ways to profit from them as they have with PCs.