Be scared of Android BYO. Be very scared.

They may not say it out loud, but I'd bet most network managers and security executives tell themselves over and over again that their end-users are idiots.

They may not say it out loud, but I'd bet most network managers and security executives tell themselves over and over again that their end-users are idiots.

Sadly, the reputation isn't entirely without merit: consider surveys such as the one that today suggested 90 percent of users don't know they can search a document using CTRL-F, or the ongoing reports of Australians being taken for thousands from overseas scammers. Users routinely ignore security warnings, grant approval to unknown applications to access new smiley sites or Facebook polls, and visit malware-laced Web sites to download porn or first-release movies.

That many such people might work in your organisation – and use your company's network on a daily basis – is cause enough for concern when it comes to enforcing security. That they are now expecting you to let them use their own smartphones, tablets and computers to access networks where confidential business documents live, should keep you up at night. But the fact that many of them expect you to allow those devices to be based on Android, should be enough to make you want to call in sick for the rest of the year.

If, that is, recent figures are to be believed. Security vendor AVG, for one, has just published its SMB Market Landscape Report 2011 (PDF) (conducted by market-research giant GfK), which bodes poorly for the state of IT security in small businesses. Just 58 percent of respondents were worried about the loss of company or customer information, social engineering or theft of employee identities, while 36 percent fear mobile malware and just 16 percent are worried about theft of information from the cloud.

In other words, the majority of SMBs aren't concerned about these things – and can be taken as not having invested heavily to prevent them. Given that the same survey revealed around one in five companies is now using Android devices, all this couldn't be better news for the crims that are, by all accounts, now actively targeting Android and its growing body of users.

Security vendor McAfee is the latest to warn of the Android malware explosion, recently warning that attacks on Android had jumped 76 percent in the past three months. Much of this seems to be due to the transference of desktop security standbys such as bait-and-switch applications and fake application updates to new threats such as hidden keyloggers. In other words, malware authors are finally finding that they can teach this new dog old tricks.

One wonders whether Google is rethinking its decision to offer the source code for its environment; its decision not to release Android 3.0 'Honeycomb', and long delays in releasing the source code for Android 4.0 'Ice Cream Sandwich' source code, suggest as much. Although open-source does give certain companies better visibility of what they're using, it also does most of the homework for malicious hackers who now seem to see Android as the mobile vector of choice when it comes to spreading malware, keyloggers and other nastiness.

Given that every major security vendor is now spruiking Android security software that purports to address these issues, it is perhaps healthy to take any reports like this with a grain of salt. But there is just as much self-interest in Google's angry response that labelled the vendors "charlatans"; after all, if Android gets a reputation as a security minefield, what self-respecting CSO would push ahead with plans to let Android devices into their corporate network by the millions?

Would you?

Can you watch the 20-minute demonstration that security researcher Trevor Eckhart has published, showing that hidden device-monitoring software can bury itself within Android and record everything a user is doing, and still heartily recommend devices running the operating system be allowed, unfettered, into your corporate IT environment?

The maker of that particular software, Carrier IQ, has argued against Eckhart's characterisation of its application as a 'rootkit' but the distinction is academic: if Carrier IQ can bury undetectable tracking software in Android, there's no reason to think malicious hackers out there can't do the same.

Many will argue that Apple's iOS also has inherent insecurities, and this is likely true. However, its tight control over application loading and unloading at least means you know that someone is watching what's loaded onto your iPhone-toting employees' phones. As a caveat, iOS users with jailbroken iPhones could be just as dangerous as those running Android.

Say what you will about surveys – particularly those from vendors that are often discounted as self-serving – but there is a growing body of evidence suggesting Android is less than the security paragon we'd like it to be. Given that fewer than 1 in 5 users bother to install security software and most feel mobile security software is too expensive, it's also clear that users – the same ones that expect equal network rights for their often-promiscuous devices – aren't going to be much help in the fight against Android malware.

No: without appropriate controls and a realistic approach to mobile security, Android could easily become the security equivalent of Windows XP, which has been exploited in too many ways – often with the assistance of ignorant users – to count. And unless they're ready to mandate regular device audits, installation of mobile security software and mobile device management (MDM) clients onto users' phones and limits on acceptable installed applications, CSOs should seriously considering their plans for mobile BYO before users' Android dreams become their own security nightmare.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags mobile malwareAndroidoperating systemsmalware

More about AppleAVG Technologies AUCarrieretworkFacebookGoogleMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts