July 8, 2014 (Tue): Blue Coat Systems, Inc. (‘Blue Coat’), a market leader in business assurance technology, has uncovered some startling security findings in a report titled ‘2014 Mobile Malware: A New Look at Old Threats.’, The report provides insights that may help Malaysian businesses better protect their information assets and privacy across mobile devices and networks.
Overall, the rising mobile threats resemble the same socially engineered malware tricks that have been prevalently used for years to attack personal computers (PCs).
Blue Coat’s country manager for Malaysia, Ivan Wen, says that despite the proliferation of mobile devices and almost 1.5 billion new ways to steal information, Blue Coat has yet to see the types of malware (short form for ‘malicious software’) are more widespread. In part, this relative safety from the mass market malware maelstrom that PC users face results from the lack of a cohesive underground economy.
“Truth is, mobile threats are still primarily defined by the types of socially engineered malwares that simply trick the users into accepting what the cybercriminal is selling. Therefore, user behaviour remains as the key in both identifying where attacks might occur and understanding how these attacks may evolve,” says Wen.
User Behaviour Drives Mobile Threats
He explains, “Often, the mobile phones’ security model are not being breached, but instead the users themselves are tricked into unsafe actions that give controls to the cybercriminals.”
Blue Coat’s Mobile Malware 2014 findings found that, as more people transition their recreational activities onto mobile devices, this behavioural trend is driving ‘malvertising’ (‘Malicious + Advertising’) to the top mobile threat vector.
Wen highlights, “User behaviours on mobile devices and PCs are distinctively different. For instances, social networking has decreased as an activity on PCs, but is now thethird most popular activity on mobile devices. Online shopping is one of the most popular activities on mobile platforms, but not on PCs.” (Refer to Figure 1)
“Malvertising is on the rise as more Web advertisements (Web ads) today are delivered through mobile networks which direct more users to malicious sites,” adds Wen.
Web Ads Outpace Pornography
Therefore, it was of little surprise that Blue Coat’s 2014 Mobile Malware Report indicated, as of February 2014, Web ads has outpaced pornography as the No. 1 mobile content that leads to malware attacks – with close to ONE in EVERY FIVE times a user is directed to mobile malware through Web ads. This is three times the rate as compared back in November 2013 (Refer to Figure 2).
“‘Malvertising’ is emerging as a leading attack vector, mimicking the rise of Web ad traffic which mostly generated through recreational activities like online shopping, on mobile devices. Mobile users are more used to seeing Web ads and this naturally makes them more vulnerable to the malware attacks that are launched through these ads.”
Spam, Poisoned Links and Rogue Apps; Combat Malware Attacks with a Lifecycle Approach
Today, the most prolific mobile malware threats are spam, poisoned links on social networking sites and rogue apps, which are socially engineered in nature to dupe users into taking ‘unsafe’ actions, such as changing their security settings, downloading apps or authorise their device to unknown third-parties that potentially compromise their devices’ security models.
Wen says, “The rise of malware attacks on mobile devices is becoming one of the most notable trends in recent cybercrime. In fact, mobile users are sometimes more vulnerable because the smaller screen size may reduce context clues. Therefore, there have been many various mobile malwares are leveraged for Advanced Persistent Threat (APT) attacks targeted at a specific organization to achieve criminal objectives.”
“Mobile malware and APTs are able to penetrate mobile phone or connected Wi-Fi networks, thus posing a serious threats to local businesses. To ensure protection of information assets and user privacy, companies should consider a ‘Lifecycle Defense’ approach that allows for malware analysis and threat intelligence to be extended across the corporate’s mobile environments for greater security control,” ends Wen.