With malware losses costing upwards to $500 Billion dollars, rest assured that malware writers will want to set new records for 2015[i]. As the world becomes more interconnected, the speed to deliver future technologies has become an important factor to get ahead of the competition. Competitive pressures continue to force companies to deliver the next big thing, but they are creating security loop holes, vulnerabilities, and security lapses that facilitate malicious attacks.
This article explains the challenges the mobile industry is facing, and the reasons why criminals will aggressively attack the different aspects of the mobile ecosystem, such as the: operating system, device manufacturers, mobile application vendors, and distribution delivery mechanisms.
1. Operating systems – still an easy target
Android is the ideal operating system to attack as it has been the fastest growing operating system in the market and the devices are ripe for targeting with malware. Around 5.3 Million mobile malware variations have surfaced since Android has been created. While updating operating system software to the latest versions can help stem these attacks, there are hundreds of millions of older Android operating systems that are still being used today that do not use the latest updates. Google has been working to protect users from malware attacks, but it still does not seem to be enough. After each release, the mobile industry continues to suffer from these attacks.
In October 2012, the first version of Jelly Bean was released with a number of security enhancements to deter online criminals. However, in April 2013, 32 applications were manipulated to display fake ads that directed users to install malware disguised as free applications[ii]. Though Google was able to remove these applications, the damage was done. In July 2013, Google released the 2nd version of Jelly Bean which incorporated additional security features. In August 2013, 30 applications within Google Play were identified as malicious, and Google removed them from Play Store and improved the security process for uploading applications into this marketplace[iii].
Google continues to release new versions, such as Kit Kat in September 2013. The Verify app has helped reduce the number of malware attacks, but was it enough? The latest updated version of Lollipop was released in April 2015, with a number of new security features such as: encryption, smart lock, improved facelock, SELinux, and factory resets[iv]. While Google continues to add security features to reduce the number of compromised devices compared to previous version, it still does not seem to be enough.
In July 2015, a global announcement about Stagefright garnered new headlines – creating some uneasiness among Android users. Stagefright looks for a number of vulnerabilities in software that is used by Android to process, play, and record media files. In some cases, Stagefright can gain root access to the device, even remote access to the device’s microphone, camera, and external storage[v]. In April 2015, Google was notified about this vulnerability and had already applied a patch in subsequent releases of the operating system. However, there are still 950 million mobile devices still using an older version of the operating system which does not have the updated software. It brings us to question device manufacturers and why they are not helping to resolve this dilemma.
2. Device manufacturers keeping a neutral stance to security?
Mobile devices manufacturers continue to improve products with a slew of features that have become so advanced that the process power and technology has surpassed the performance of very low end computers manufactured just a few years ago. As reported by Alcatel-Lucent, over 71% of mobile devices do not have antimalware protection. Though this is changing, some mobile devices now have antimalware security software pre-installed, but it is not automatically turned on to protect the user from malware. It seems as though device manufacturers are not really promoting security or protecting the mobile device. Sometimes these security applications are not prominent and often users don’t know they may have some security services available to them. It seems as though mobile device manufacturers are keeping a neutral stance to security.
Though some device manufacturers are addressing general security issues, like Samsung’s Knox which separates the personal data from company data by creating a virtual space on the device. It also offers encryption and VPN[vi] features as well other features, but misses out on adding an antimalware component to remove possible threats before they can occur. Though it is an improvement, it still falls short of being a complete mobile security solution.
So we should look at mobile application developers, and the distribution mechanisms of thes applications, i.e. online app stores such as Google Play.
Get the full overview of the challenges the mobile industry is facing today. Download full article.
[i] Breaches, malware to cost $491 Billion in 2014 Study Says; Mar 2014; http://www.scmagazine.com/breaches-malware-to-cost-491-billion-in-2014-study-says/article/339167/
[ii] App Contained a “fake” ad network, directed users to install malware disguised as free applications; April 2013; http://www.androidcentral.com/google-removes-32-apps-google-play-over-malware-concerns
[iii] Google Play Store Suffers from Malware; August 9, 2013; http://www.cbsnews.com/news/google-play-store-suffers-from-malware/
[iv] Android Lollipop’s Best New Security Features; October 28, 2014; http://www.tomshardware.com/news/android-lollipop-new-security-features,27974.html
[v] Android Stagefright Bug: How can you protect your phone; August 11, 2015; http://www.trustedreviews.com/opinions/what-is-android-stagefright-bug