The key finding of the report is that mobile malware remains primarily 'mischiefware'; that is, the criminals “have not yet broken the devices' security model but are instead more focused on for-pay texting scams or stealing personal information.”
Chris Pace, the Blue Coat's director, product and solutions marketing, told Infosecurity that the criminals are likely following a line of least resistance, using a methodology already tried and tested on PC users. Users are lured to a malicious website via social networking messages or emails. Once there, they are tempted to download the infected app. As it happens, pornography sites are three times more likely to serve mobile malware than other site categories; but the methodology is similar for the majority of malicious sites. This is all that the criminals need to do in order to make money from mobile users; and more sophisticated spyware and financial malware -- although it does exist -- is not really necessary.
Pace believes that there are several reasons for the continuing success of mischiefware in the mobile market, including both the nature of the device and the nature of the user. “Smartphones and tablets are still relatively new,” he explained, “and the security model is still subservient to use.” An example he gives is the obscured link. On PCs, users have learnt to check the obscured destination by hovering the cursor over the link. Mobile users cannot do this, and are consequently more likely to be deceived.
But he also suggests that the nature of use is a contributory factor. PC users are more settled while using the computer; mobile users are usually in motion - going somewhere and doing something different. Concentration is lower, and deceit consequently easier.
Blue Coat believes that business must be aware of the differences between PC and mobile use, and the different attitudes between PC users and mobile users. All users, it warns, “will tend to go with the application that provides the best user experience even if it is not the most secure option.” So, faced with transferring a large file from PC to mobile but restricted by a company-set size limitation, “the employee could upload the file to Box.com and just send out a link. This option is not necessarily the most secure and might even violate compliance to relevant regulations.”
By not paying attention to the mobile user experience, warns Blue Coat, “organizations can inadvertently create security gaps.”