Mal-Innovation on Mobile: A Changing Threat Landscape

If you have a phone, you’re a target. That’s the underlying message of the 3rd Annual Verizon Mobile Security Index, which sheds light on key challenges and industry innovations surrounding mobile security.

Perhaps most notably, almost 40% of organizations surveyed said they had experienced a mobile-related compromise, with 67% of those that suffered a compromise reporting that the impact was major, and 37% noting it was difficult and expensive to remediate.

It’s clear that mobile is the new frontier for attacks and organizations are feeling the effects and taking a hit. While organizations acknowledge mobile security is a concern, they can’t seem to keep pace with attackers, with 45% of companies admitting that their defenses were falling behind attackers’ capabilities.

When it comes to enterprise mobile security, innovation is the biggest hurdle to overcome - that is, innovation on the hackers’ part, or mal-innovation.

According to a recent Wandera report, Understanding the Key Trends in Mobile Enterprise Security in 2020, 36.5% of all organizations have experienced a malware incident on a mobile device, a 142% increase from 2018. A surge like this speaks to either attackers’ ingenuity or organizations’ naiveté, and the hope is that it's not the latter.

The bottom line is this: attackers go where users are, so if users are favoring mobile devices over laptops, it only follows that attackers will target smartphone users. Often these devices contain equally valuable data, yet security is much more of an afterthought.

Unfortunately for both users and businesses, malware isn’t the only concern and when it comes to mobile, there are plenty of phish (sic) in the sea. In fact, last year, 57% of organizations experienced a mobile phishing incident, with 60% of mobile phishing attacks occurring over HTTPS. So if you think that little lock in your browser indicates you’re secure, think again.

So what can organizations and individuals do to improve mobile security given continued innovation on the adversaries’ part?

First things first, they need to nail down the basics. As if attacker innovation didn’t present enough risk to enterprises, poor mobile security hygiene still reigns supreme, with individuals often prizing convenience over security.

A prime example? In 2019, the number of jailbroken iOS devices increased by 50%, while the number of rooted Android devices increased by 20%. The primary reason users jailbreak their devices is to bypass limitations set by Apple and Google and install applications, extensions, and other software not authorized by Apple's App Store or the Google Play Store.

It goes without saying that this carries inherent risk, so the upward trend of jailbroken/rooted devices speaks to misplaced priorities and continued security hygiene concerns.

Beyond improving mobile security hygiene, enterprises need to take proactive measures to protect their entire mobile fleet from malware, phishing, and other mal-innovation. The key is to deploy security solutions that continuously monitor for suspicious application behavior and characteristics present on the device while also monitoring for command-and-control communication and data exfiltration at the network level.

Most endpoint security solutions allow for basic man-in-the-middle (MitM) detection by identifying rogue hotspots and suspected MitM activity. However, network-based detection can go a step further by monitoring network transmissions for unencrypted data transfers (data leaks).

A network-based policy engine can do even more by blocking data exposures on unsafe networks, enhancing user privacy while also guaranteeing the confidentiality of sensitive data as it is communicated across the network. What’s more, an additional layer of encryption, such as a VPN or encrypted DNS, can help keep user data private and secure from online profiling and theft.

The time for change is now. Beyond the reputational impact of a breach, organizations are grappling with potential financial repercussions, with 29% saying they’d suffered a regulatory penalty as a result of a mobile-related security compromise in 2019. As attackers innovate with new vectors and techniques, so too, must enterprises look for new ways to secure the mobile enterprise.

What’s Hot on Infosecurity Magazine?