When BYOD Equals Bring Your Own Malware

Lookout's analysis of the mobile threat landscape suggests businesses should focus on curbing risky online behavior.
16 Top Big Data Analytics Platforms
16 Top Big Data Analytics Platforms
(Click image for larger view and slideshow.)

As more companies allow employees to bring their own devices to work, they may be opening the door for cybercrime.

Based on its review of 2013 data from more than 50 million users of its Android mobile security software, Lookout expects cybercriminals this year to attack mobile devices as the weak link in heavily monitored enterprise networks.

"The borders that traditionally protected companies are now more porous because people are bringing their phones from homes to work every day," said Jeremy Linden, security product manager at Lookout, in a phone interview. "This allows attackers to get behind your firewall. We do think this sort of thing will become more prevalent in 2014."

Apple's iOS presents less of a concern than Google's Android in this regard, through malicious links and phishing are issues regardless of the mobile platform involved. Linden says that the iOS threat landscape differs significantly from what Android users face. "Apple's App Store is significantly more policed and there's significantly more review," he said. "And unlike Android, iOS users can't install apps from outside the App Store." (That is, unless they've jailbroken their iPhone.)

Lookout's findings indicate that the types of risks faced by mobile users vary across the globe. The most common threat, the company said, is adware, which is essentially advertising that violates mobile platform policies (e.g. harvesting personal information) and expected behavior (e.g. obtaining consent through deception or failing to seek consent).

Lookout says that adware is five times more common than malware on mobile devices. The company puts the average chance of encountering adware on a mobile device in the US at 25%, based on its 2013 data. Encounter rates elsewhere are similar: China 30%, France 31%, Germany 27%; Mexico 34%; Spain 30%; Russia 33%; and UK 23%. Japan and South Korea had significantly lower rates of adware: 9% and 15% respectively.

[Do you own an Android phone. Read WebView Exploit Affects Most Android Phones.]

A second threat category, chargeware, is seen infrequently in the US. These apps, which engage in deceptive billing and often involve pornography, are only seen by about 5% of US mobile users. In Europe, where SMS-based payments are more widely used, chargeware is more common. Lookout puts encounter rates at 13% for France, 23% for Spain, and 20% for the UK.

The encounter rate for mobile malware is lower still. In the US, it's 4%. In China and Russia, the figures are much higher: 28% and 63% respectively. But the potential damage from malware -- theft of passwords and other important information -- can be considerable.

Lookout's report says that mobile risks can be mitigated by using common sense, like installing apps only from trusted marketplaces, not rooting your device, and using a mobile security app. Coming from a company that sells security apps, this perhaps is not a surprising recommendation.

The company also noted that user behavior is the best indicator of risk, having found that those with mobile malware in their phones are seven times more likely download another malicious app. "The types of people who download shady material are likely to do it again," said Linden.

To strengthen your company's firewall, lay a solid foundation in the human resources department.

Engage with Oracle president Mark Hurd, NFL CIO Michelle McKenna-Doyle, General Motors CIO Randy Mott, Box founder Aaron Levie, UPMC CIO Dan Drawbaugh, GE Power CIO Jim Fowler, and other leaders of the Digital Business movement at the InformationWeek Conference and Elite 100 Awards Ceremony, to be held in conjunction with Interop in Las Vegas, March 31 to April 1, 2014. See the full agenda here.