Mobile devices are generally considered to be developing the 'perfect storm' for corporate security: the simultaneous coming together of severe activity on multiple fronts. What isn't known, or at least not agreed, is when this storm will break – but it certainly could be during 2014. There are, however, a few dissenting voices: Sean Sullivan, security advisor at F-Secure, specifically says that it is impossible to predict the future of mobile malware. "I can predict that it won’t mirror Windows malware in 2014. It’s a different animal."
Geoff Webb, director of solution strategy at NetIQ, believes 2014 will just be more of the same, with malware authors hiding their payload within friendly utilities and games. "Once installed, malware on devices will continue to focus on the things the device has access to, like online accounts and data, rather than anything on the device itself."
These, however, are not mainstream views. The storm that is brewing comes from the collision of multiple fronts: the ubiquity of the devices (criminals follow the numbers), the growth of M-commerce (criminals follow the money), the maturity of the malware (criminals are getting better at it), and the nature of the users (who tend to be young social animals with a deep and trusting love for their devices).
In sequence, nearly everybody has at least one mobile device – and it's probably within arm's reach right now. Each one of those mobile devices contains multiple apps, and each app is a potential entry point for the criminals. "With consumer and enterprise mobile app revenues growing to over $60 billion by 2016, mobile applications already are and will continue to be an increasingly attractive target for cybercriminals," notes Mike Dager, CEO of Arxan Technologies. "With the growth in smartphone and tablet usage, it is becoming increasingly worthwhile for malware authors to target the most popular applications knowing that their potential audience of targets may number in the hundreds of millions," explains Giri Sreenivas, VP and GM of Mobile at Rapid7.
Of particular interest to the criminals is the growth of M-commerce and personal banking via mobile devices. "As M-commerce moves ever more mainstream (such as NFC payments on London buses as an example)," explains Greg Day, EMEA CTO at FireEye, "expect to see a new wave of cybercrime focus around M-commerce starting to underpin the cybercrime market." He goes further: "In the next 3 to 5 years the credit and debit card will be replaced by M-commerce," but he wonders if users yet understand the threats that will come with it.
"Everybody and their brother is pushing a form of mobile payment," warns Paco Hope, principal consultant at Cigital. "Technologies like NFC, SMS, bluetooth, QR-codes, and so on are all figuring into various forms of mobile payment. There will be mistakes, mainly implementation bugs, as these things are rushed to market. Somebody is going to lose a fair bit of money when their mobile payment system is exploited by some non-mobile malware."
Key to the successful use of mobile devices in any financial transaction will be user authentication. But "today many [users] struggle with the simple aspects of password management: How many smart phones have no password today?", asks Day. Catherine Pearce, security consultant at Neohapsis, believes the device manufacturers may help through building biometric authentication into the device itself. It has already started, of course, with Apple's TouchID. " Apple may unlock it's TouchID verification for third party apps," she predicts. "While it seems unlikely that the raw data read will be unlocked (at least for non-jailbroken devices) there could be big benefits in allowing the use of a simple yes/no to verify users." Other biometric approaches might follow with other devices. "Due to the increasing power of mobile cameras we will see the first attempt at the use of iris verification in mobile devices." But she adds, "Only time will tell if it's any good and doesn't fall to standard attacks, such as a photograph of the eye."
One common perception (F-Secure's Sullivan apart) is that mobile malware is following in the footsteps of mainstream PC malware in both its methods and its targets. We are already, for example, seeing the construction of mobile device botnets. In 2014, there "is likely to be increased numbers of mobile devices within botnets as a percentage of the total number of zombie hosts," warns John Yeo, EMEA director at Trustwave. "Mobile botnets will be sold and bought and will also be used to distribute malicious attachments on behalf of third parties," suggests Alexander Gostev, chief security expert at Kaspersky Lab. The criminals "will continue to press ahead with the construction of smartphone botnets," confirms Eddy Willems, security evangelist at G Data.
Put simply, the mobile target is changing. "Premium rate SMS fraud will be in decline," says Willems. "G Data assumes that incidents of fraud involving expensive premium rate SMS messages will decline next year." Sreenivas predicts "we will see an increase in malware that targets data contained by specific apps on mobile devices." And a common perception of one way this will happen is through the evolution of mobile device ransomware.
Malware has "kept up a steady migration to the mobile space," explains Neil Cook, CTO at Cloudmark, "with ransomware set to be a logical next step in the future. In its simplest form, ransomware could simply copy sensitive information from the phone to blackmail users. Eventually, however, encryption is going to be brought to the table. Similar to the recent outbreak of CryptoLocker, mobile ransomware will eventually force victims to pay up or face losing the contents of their phone – contents locked away behind layers of encryption."
In 2014, warns Gostev, "ransomware begins to target mobile devices. Having begun many years ago with the Gpcode Trojan, malicious ransomware has developed into two main types: trojans that block the computer’s operation and demand money to unblock it; and trojans that encrypt the data on the computer and require even bigger sums to decrypt it. In 2014," he continues, "we can expect cybercriminals to take another logical step in the development of these types of trojan programs and turn their attention to mobile devices. Android-based devices will no doubt be the first to be targeted. Encryption of user data on smartphones – photos, contacts, correspondence – is easy if the trojan has administrator rights, and distributing such programs (including via official stores like Google Play) is not difficult."
More generally, "We expect to see continued development in mobile from a malware perspective, especially with an increase in campaigns to harvest user data," suggests Ramece Cave, research analyst at Solutionary. "There is no shortage of buyers for this type of information for advertising purposes and/or user targeting."
The fourth front of this perfect storm is the user. "It's been said many times but humans are the weakest link," explains Charles Sweeney, CEO at Bloxx, "and for mobile malware, they are also potentially the most lucrative." The main reason is that while PC users have learned to distrust their computers, mobile users have not yet learned to distrust their phones. "People (generally) trust those they sleep with," says Kevin Haley, director at Symantec Security Response, "so it should not be surprising that with 48% of people sleeping with their smart phones, they are lulled into a (false) sense of security about them. In 2013, we reported on a mobile app that would secure additional 'likes' for your postings on Instagram. All you had to do was hand over your login and password to some guy in Russia. More than 100,000 people saw nothing wrong with that. We trust our mobile devices and the wonderful apps that run on them to make our lives better. We suspend disbelief for that device that sits in our pocket, purse or nightstand. The bad guys are going to take advantage of this big time in 2014."
"The personal esteem in which we all hold our mobile devices," continues Sweeney, "will mean that hackers can rely on good old social engineering in order to get access to the personal details, confidential data and passwords that they so desire. With shopping and banking application use so widespread this is a real cause for concern for consumers, but businesses will also worry about how robust their mobile security policies are." Malware won't even need to be that sophisticated in order to create havoc, he adds.
These are the four primary elements conspiring to unleash the perfect storm on the mobile arena. But as with all storms there are additional eddies. Catherine Pearce expects to see a reduction in the theft of iPhones "as Apple's iOS 7 re-activation restrictions (where the previous owner has to authorize a device or it can’t be used) begin to affect the ability of thieves to convert stolen phones to cash. This will have some other effects though, for example the cost of used iPhones will rise, we will see an increase in attacks on iTunes accounts, and there will be concerted efforts made to bypass these restrictions."
Seth Goldhammer, director of product management at LogRhythm, sees new opportunities for malware writers in the emerging mobile OS wars. "While Android has dominated the mobile operating space, we are seeing growing demand for Microsoft, as well as other open source platforms such as Tizen, Mozilla’s Boot-to-Gecko (B2G) and Ubuntu, which will eat away at Android’s market share. This new wave of OS platform wars will call for rapid development, creating vulnerabilities in the OS as well as applications which will need to be ported across the different operating systems, leaving plenty for hackers to go after.”
Whatever way you look at things, BYOD is an increasing rather than decreasing threat to the enterprise. The term has been overused in 2013, and many companies have begun to consider it to be little more than hype. 2014 may well prove to be the year that the industry's warnings come home to roost. The problem is that it is a new threat and requires new thinking. "Bolting on old world thinking to these devices will fail," warns Garry Sidaway, global director of security strategy at NTT Com Security, "and we have to address the problem in a different way and assume that the device is untrusted. Our thinking has to be how can we layer on trusted applications onto an untrusted device."