It is often a battle of time in today’s digital economy. Businesses and employees are in need of full, real-time access to information and applications to stay ahead in today’s competitive environment. To address this, employees often turn to mobile devices to access corporate email, calendars, applications and data. However, this same flexibility comes with the challenges of protecting corporate data on devices, separating personal and corporate information, and preventing devices and apps from becoming another attack vector.
According to IDC, the world bought more than 1.4 billion smartphones in 2015, up 10 per cent from the 1.3 billion units sold in the previous year. With its global and extensive adoption, there is no doubt that smartphones are an increasingly attractive target for online criminals. For many users, their smartphones contain valuable personal information – a quick scan of social media apps, photo galleries and contacts will easily give an indication of the individual’s lifestyle or identity.
The introduction of mobile payments have further increased the stakes that mobile users face. In 2015, Apple launched its mobile payment service, Apple Pay, and it was also recently rolled out in Singapore in May 2016 to much fanfare. With both Samsung Pay and Android Pay leading the mobile payment trend, other mobile payment systems are likely to tap into this opportunity and take a slice of the digital wallet pie. With the wealth of information now available on our smartphones, this makes it very attractive to criminals for their exploitation. As a result, they are investing in more sophisticated attacks that are effective at stealing valuable personal data or extorting money from victims.
Besides familiar tricks such as hiding malicious code inside ostensibly legitimate apps, or being disguised as something more useful, attackers are using more sophisticated techniques to make money from their victims. For instance, a cybercriminal could trick users into entering their banking credentials by popping up a fake login page on top of legitimate banking apps.
Although Android users remain the primary target, 2015 saw effective attacks on Apple devices as well, and iOS devices did not need to be jail-broken to be compromised. While Apple maintains a tight control over its app store and operating system, threats to their products, including iPhones and iPads, have been infrequent and limited in scale.
However, drawn in by the increasing popularity of these products and higher disposable income (on average) of their owners, cybercriminals will be increasingly likely to target them. It has been estimated that hundreds of iOS apps on the Apple App Store were infected, potentially affecting hundreds of thousands of users, particularly in China, where the WeChat app is particularly popular. This threat did not require a jail-broken iOS device, as with other iOS threats previously, making it a new and rather worrying development in the mobile threat landscape.
Although more mobile devices are expected to come under growing attack over the next year, implementing the right preventative measures and continuing investment in security, businesses and consumers can safeguard against potential attacks.
Mobile devices should be treated like the small, powerful computers that they are and protected accordingly, using the following security tips:
Control what’s in your hands
- Always secure your access control, including biometrics where possible. Additional mobile security solutions, such as Symantec Mobility or Norton Mobile Security, can also help safeguard against malicious software. Enterprises should consider mobility management tools that can help secure and control mobile devices within an organisation.
Back up, back up, back up
- Plan for data loss prevention, such as on-device encryption. Most smart phones also come with remote find and wipe tools – enable these functions! In the event of a lost device, you can easily wipe your phone of any sensitive data, preventing your data from falling into the wrong hands. You should also back up your device and data regularly.
- Do not jailbreak devices and refrain from downloading apps from unfamiliar sites. Only use trusted app markets.
Stay alert!
- Be aware of what you are agreeing to, particularly around paying attention to permissions requested by an app. Watch out for any suspicious emails or push notifications to your device asking for your credentials, or any other personally identifying information.
Peter Sparkes, Symantec Senior Director, Cyber Security Services for APJ