Employee mobiles expose firms to attack, says Webroot

Employees mobile devices expose companies to malicious applications and attacks, according to the latest mobile threat report from Webroot

Employees using mobile devices expose company networks and data to malicious applications and attacks, according to the latest mobile threat report from Webroot.

As employees continue to use their own devices and personal applications for work purposes, more threats are introduced into the workplace, putting company networks at risk, the report said.

The report is based on analysis of more than 5.9 million mobile apps, 31,000 infections, nearly 125,000 lost device protection activations, and infection rates from millions of customers.

“Consumers are very trusting of mobile applications such as Facebook, Twitter and Angry Birds – they are apps they know and have used for some time. However, it is the thousands of unverified apps, often found on third-party markets or P2P networks, that put users at risk,” said Grayson Milbourne, security intelligence director at Webroot.

“The report shows that this line of thinking is dangerous. Poor app choices can lead to the compromise of an entire corporate network. The need to secure mobile devices will continue to grow as the discovery of new exploits and malicious apps increase – all driven by a clear focus on mobile platforms within the cybercrime community,” he said.

Webroot warns that the proliferation of mobile devices, particularly personal devices used in the work environment through BYOD schemes, can expose corporate networks to higher risk and the continued growth of the platform for Android is of particular concern.

More on mobile malware

  • Video: Mobile phone users prone to SMS mobile malware
  • Junipers' Mobile Threats Report: Mobile malware attacks grew over 600%
  • Mobile malware up 163% in 2012, says NQ Mobile
  • Android mobile malware rebounds in Q2, reports McAfee
  • Mobile malware and social malware: Nipping new threats in the bud
  • Mobile malware on the rise
  • Mobile security model flawed, says Mobile Helix
  • Rapid malware growth for smartphones, reports G Data
  • Obad.a analysis: Is malware on Android devices now equal to Windows?

The latest Webroot research data indicates an almost four-times increase in the volume of potentially threatening apps for Android in 2013, while a recent report from Strategy Analytics indicated Android powered 79% of all smartphones shipped during the same period.

“While allowing such devices to access company resources aids productivity, the increased potential for compromise opens up a risk vector for which IT personnel must take into account,” said Milbourne.

The rise in potentially threatening mobile applications reinforces the need for IT managers and employees to be aware of mobile threats, he said.

Webroot researchers recorded a 384% increase in total threats to Android devices in 2013 and found that 42% of applications for Android were malicious, unwanted, or suspicious.

By comparison, 92% of applications for Apple iOS devices were rated as benign, 1% were considerate to present a moderate threat and 7% were rated trustworthy.

“This is because iTunes has historically put applications through a rigorous vetting methodology, whereas third-party Android marketplaces, and to a certain extent Google Play have not,” the report said.

However, the Appthority Winter 2014 App Reputation Report notes that even though Apple prohibits iOS developers from accessing user ID information, 26% of the top iOS apps still do this, up from just 6% in the past year.

According to Appthority, 95% of the top 200 free iOS and Android apps exhibit at least one risky behavior, with 70% allowing location tracking, 69% allowing access to social networks, 56% identifying users, and 31% enabling address books and contact lists to be read.

Gaming applications and entertainment updates are responsible for the highest rates of infection, Webroot researchers found, but the report notes that no category of app is entirely risk free.

The report said users and system administrators must be educated on the threats facing their enterprises, and the security solutions that can be put into place to defend against them.

“Further mobile security education will result in safer application usage, better security-related decisions, and ensure that the reliability and convenience of mobile devices is not compromised,” the report said.

Best practices to protect mobile devices include:

  • Installing applications only from trusted sources such as Google Play and iTunes.
  • Paying very close attention to permission requests from new app installations.
  • Using lock screen facilties for both corporate-owned and personal devices
  • Using 8-digit PINs rather than swipe locks or 4 digit PINs.
  • Using a mobile device security app

Read more on Hackers and cybercrime prevention