A decade ago, Windows machines were perceived as the target of all malware. Today, malware is a threat to all platforms. Rather than one popular operating system being inherently more secure than another, it seems malware increases in tandem with the OS’s use. The more popular it becomes, the more targeted it is, and the more vulnerabilities are found.
Today, our smartphones connect us with social media accounts, banking services, and retailers. The important question for a mobile device is not just whether its operating system is secure, but whether it has an effective security patching strategy for when (not if) the latest malware eludes a device’s safeguards. Even mobile and desktop operating systems designed with security first have had problems that called for this kind of effective update management.
Security in the mobile world
The mobile device market is dominated by two operating systems. Android owned 81.5 percent of the market in 2014, compared to 14.8 percent for iOS (not unlike the Windows and OS X situation of years ago).
However, only Apple can patch its mobile operating system similar to the way desktop OS manufacturers patch security holes and shortcomings. Android’s openness is a strength, but also its greatest security weakness because Google doesn’t have the last say when distributing security updates and patches – the OEMs and service providers hold that power. In addition, controls that block the installation of unknown, third-party software are easily circumvented, providing an easy avenue of attack for cybercriminals.
Unsurprising then is our finding that the vast majority of mobile malware — 99 percent in fact — targets Android devices. The number of attacks and different kinds of mobile malware are growing at a staggering pace, and in 2014, the number of mobile malware attacks against Android more than quadrupled, affecting about one in five Android devices.
Most people aren’t aware that Google is virtually powerless to stop malware from compromising an Android device, unless the program comes through the Play Store. Only a small percentage of users are aware that mobile malware even exists and that they need protection software to defend against it. When you consider that mobile devices now often store critical information – credit card numbers, online banking logins, etc. – and are more vulnerable to a host of attacks, it’s critical to defend devices against malware.
Though we have battled malware on desktop operating systems for years, there’s still room for progress in some areas on mobile. Most users don’t get updates in time, or at all. Plus, users are installing unknown, third-party software left and right, but have no controls (e.g., security software) in place to detect malicious apps or activity.
Complicating matters is Apple’s controls for iOS. It’s true that software sources are more tightly controlled through the App Store, but protection software is banned, and it’s unclear how often iOS devices are compromised.
Moving toward better mobile security
Understanding the current threats to your mobile device is key. No matter what kind of mobile device you use, you must realize the importance of the data on it, and exercise commensurate caution when installing apps, opening URLs, or choosing whether to enable encryption.
If you are using an Android device, there is a significant chance (one in five, likely more) that you will be targeted by malware in the next year. This malware will likely try to steal financial information from your device, or abuse it in a way that hurts you financially. And it’s very likely that we’ll see even more ransomware – software that encrypts your files with an encryption key that will be revealed only after the payment of a ransom – being targeted at Android users.
To effectively protect a device from these threats, first pick an Android device whose updates are handled directly by Google, and make sure updates are installed when available. It’s also advantageous to block the downloading of third-party applications and install protection software that can ward off any malware.
If you are using an iOS device, you are likely safe — for now. If you install updates as soon as they are available, and avoid downloading and installing apps you don’t trust, there’s a very small chance you’ll be subject to malware attacks in the near future. But as iOS increases in market share, so will the number of potential malware attacks.
About the author
Michael Canavan is the Vice President, Sales Engineering, Kaspersky Lab North America. He is responsible for overseeing all pre-sales systems engineering activities in the region, including North America B2B sales product training, which includes a standardized onboarding initiative for the sales team as a whole, guiding senior sales management regarding technology and solutions, and acting as a solution evangelist for North America B2B sales both internally and externally. Michael brings more than a decade of engineering experience to his role. Prior to joining Kaspersky Lab in 2010, Michael held various roles at Trend Micro in Sales Engineering and Product Management.