Verizon's data breach report can't find any mobile malware - so is it all hype?

"I got 99 problems and mobile malware isn't even 1 percent of them"

Is mobile malware really the gigantic business threat it is made out to be by numerous security firms? If it is someone should tell Verizon's researchers who have once again struggled to find any to talk about in the firm's 2015 Data Breach Investigations Report (DBIR).

The DBIR is accepted as probably the industry's most comprehensive take on real-world data breaches, security incidents, malware types, and attack vectors, compiled from Verizon's large mobile user base, extensive list consultancy customers with contributions from 70 global security agencies, including huge Internet firms, national CERTS and even the US Secret Service.

If mobile malware is out there, Verizon is probably the best qualified firm on earth to see it, and yet the it devotes an entire chapter of the DBIR to a mostly fruitless search for evidence that mobile malware is being used on any scale to breach organisations.

After running eighteen passes or more on the data the best the firm can say is that from tens of millions of smartphones connecting to its network each week around 100 showed evidence of serious malware, almost exclusively on devices running Android. That's a fraction of a fraction of one percent of all threats at most. The rest of the unwanted applications it noticed it rated as bascially low-grade nuisance applications.

"We chopped, sliced, and flipped the data more times than a hibachi chef," said the report as if to emphasise the effort the firm went to find mobile threats.

Relating that to the 2,122 real-world breach reports and nearly 80,000 security incidents fed into its database for 2014, the firm said that mobile devices were involved on only very rare occasions.

"When we've looked for these devices we're not seen them in out breach data," confirmed Verizon risk team principal and report co-author, Jay Jacobs.

It's a head-scratcher perhaps but Jacobs is adamant that as far as larger organisations are concerned this is an over-rated threat.

"We see that it's a weakness, we know that users can be duped. But we're just not seeing it. Back off the hype a little bit. Mobile is not a pattern," he said.

"Most of the malicious software is annoying for the consumer. But when we filtered this out there was a tiny fraction that had malicious software on it."

The mobile malware that is out there is overwhelmingly opportunistic, short-lived attacks designed to mine a quick profit or grab some traffic, or push advertising through adware apps. Four out of five attacks don't last beyond a week and 95 percent were gone within a month.

Jacobs is not saying that mobile malware doesn't exist, nor that it is not a risk for consumers. But so far almost none of it is being used as part of the large number of detected attacks on organisations his firm deals with each year.

Verizon's takeaway is that organisations should prioritise defending themselves from the other attacks are working and stop worrying about attacks that will probably only materialise when mobile has been fully integrated into business.

Meanwhile, back with the breach reports that have made the DBIR such an annual event suffice to say that the 2,122 confirmed in 2014 across 61 countries was significantly up from the 1,376 in 2013. This is largely down to the expanded list of organisations contributing reports of real-world incidents - 70 against 50 -although it is also possible that as a record year for disclosed breaches, the rise is real too.

It is striking, however, that other aspects of data beaches have stayed almost the same from year to year in the DBIR with the balance of external actors staying around 85 percentage with most of the rest internal staff and a tiny segment by or through partners. There is also evidence that breaches are taking longer to detect over time, usually more than a few days.

Another theme is the insane problem of patching with only ten Common Vulnerability and Exposures (CVEs) accounting for 97 percent of the exploits seen in 2014. Many vulnerabilities are also exploited with a month of being made public, which means that public disclosure is a good indicator of the flaws that should be addressed most urgently, Verizon said.

With old flaws aplenty to choose from, "apparently, hackers really do still party like it's 1999."

Join the CSO newsletter!

Error: Please check your email address.

Tags Secret Servicesecuritydata breach

More about Verizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts