How to prevent mobile malware in 3 easy steps

Mobile malware tends to loiter in a few "bad neighborhoods" online that you should stay out of anyway.

Looking only at the data provided by security firms, the world appears on the verge of a mobile malware apocalypse.

The number of samples--which represent unique, but mostly automatically generated variants of malicious programs--exceeded 5 million in the third quarter of 2014, according to security firm McAfee. Using a different counting method, security firm Symantec classified a similar magnitude--1 million of the 6.3 million mobile apps it discovered--as malware in 2014.

Yet, these data points tell only the darker side of the story. An increasing volume of data supports the idea that Apple's and Google's gated communities for mobile software have paid security dividends and kept most monstrous malware at bay.

Apple, Google app stores are most vigilant

Less than 0.5 percent of the 1 billion devices scanned by Google security software had a potentially harmful application (PHA) installed, according to Google's 2014 Android Security Report, published in April. Potentially harmful applications include spyware, ransomware and fraudulent apps, which Google scans for using a security capability, known as Verify Apps, that runs in the background on modern Android systems. In addition, the company checks mobile apps submitted to the Google Play store, which offered about 1.5 million pieces of software at last count, and removes applications, if they are found to be violating the company's policies.

The measures mean that, among users that stick to Google's Play store, less than one device for every 10,000 has a program considered malicious. "I don't think malware represents a risk," says Adrian Ludwig, lead security engineer for Android at Google. "I think the damage of mental anguish worrying about mobile malware likely exceeds the potential harm from actually being infected by it."

Not that cybercriminals and malware developers aren't trying. Smartphones and tablets tend to have as much, if not more, private data on their users than computers, so attempting to get malware on the devices is logical. No wonder, then, that online miscreants have focused more heavily on infecting mobile devices, using automated techniques to create tens of thousands of malware variants to get around the detection systems--again, automated--used by Google, Apple and security firms.

Yet, for most parts of the world, malware on mobile devices is a non-issue. In a recent report, network security firm Damballa analyzed cellular data and found signs of potentially malicious activity on only 0.3 percent of devices. Business services firm Verizon looked at traffic on its own cellular network and found "virtually no" iOS malware and very little Android malware, according to Bob Rudis, a security data scientist with the company.

"There was a blip here or there, but the reality was that there was nothing of significance to note," he told the press during an April 2015 call.

Third-party app stores carry the most risk

Most malicious software is found in third-party app stores popular in a few countries that are loaded with pirated versions of software or trojanized applications. While Symantec automatically discovered and analyzed 6.3 million mobile apps in 2014, for example, there are only about 1.5 million apps in the Google Play store and fewer than that in the Apple App Store, according to AppFigures, meaning that two-thirds of applications from other sources make up the majority of data.

Paying heed to the data, three simple steps are recommended for North American users.

1. Use an official app store

The official app stores--namely, Google's Play store and Apple's App Store--regularly check uploaded software for malicious behavior. While the checks are automatic and can be fooled, they do act as an initial bar that attackers have to circumvent. The companies will remove programs later found to be malicious as well.

Consumers that load applications to their device only from Google Play, for example, have a 0.1 percent chance of having a potentially harmful application on their device, rather than 0.7 percent for devices that load software from outside of Google.

Loading in applications from other app stores or Web sites, an activity known as sideloading, gives attackers and criminals an opening to install their own code. Many of those app stores do not perform the same security functions as Apple and Google. Russia, for example, is the leader in infected phones, with about 3.75 percent of devices containing a PHA, according to Google's data.

Using apps outside official stores "is a risky behavior," Google's Ludwig says. "Potentially harmful applications are 7 to 10 times more likely to be installed outside of Google Play."

2. Don't jailbreak your phone

Mobile devices come with a lot of built-in security. Using programs to hack the devices to remove the carriers' and manufacturers' restrictions--an activity known as "jailbreaking"--can lead to freer markets, but also undermines much of the security protecting the devices. The ability to keep applications from accessing protected data and to validate applications are both disabled on jailbroken apps.

Finally, users who jailbreak their devices need to rely on their own technical know-how to protect the devices and their data.

3. Update often

Vulnerabilities have historically not led to increased attacks on mobile devices. Apple's iOS had nearly 8 times as many vulnerabilities than Android in 2014, but nearly all malware targets Android, according to Symantec's latest Internet Security Threat Report.

The mobile software space, however, is moving quickly and developers tend to push out bug fixes, including security issues, quite often. For that reason, users should update their software as frequently as possible and always look out for system updates. Updates are typically delayed by all the steps required to update an Android device, said Jon Oberheide, chief technology officer of Duo Security, a mobile security provider.

"Patching is still an issue on mobile devices...but it's getting better," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplemcafeesymantecGooglesecurityhardware systemsPhonestabletsmalware

More about AppleGoogleSymantecVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place