BYOD: Your worst security nightmare?


For all of their promised benefits, Bring-Your-Own-Device programs may be your greatest security risks. And while malware gets most of the public attention when it comes to cyber nasties, it is in fact adware that poses a greater threat to users. Adware can quietly and secretly steal sensitive data and information without a user's knowledge or consent.

Those are among the conclusions of Jeremy Linden, a mobile security expert with Lookout. Linden spoke with FierceCIO recently about the firm's "Mobile Threat Specialization: Security Risk Report." The report reveals that cyber threats have become more sophisticated to match and monetize market opportunities around the globe.

Lookout collects cyber threat data from web crawlers, industry partners and devices in the field, Linden explains. The company breaks down threat data by region, as well as what type of behavior puts consumers at the greatest risk. In relation to the firm's research report, it also published a blog explaining highlights of the study, and what they mean to information security professionals.

As noted in an email to FierceCIO by Lookout's blog author John Gamble, "2013 was a year of changes in the world of mobile malware. Mobile threat campaigns became increasingly targeted, as criminals that operate them adapted their practices to maximize profit and operate in a less detectable way. In places where regulation is tough, they identified different ways to operate, often dropping more traditional monetization strategies, like premium rate SMS fraud, and leveraging 'grey area' tactics that are actually legal."

Lookout notes that after years of iterating and incrementally changing codes and tactics, certain specific patterns of mobile threats have emerged in recent months. For one thing, in order to keep ahead of law enforcement and security companies, cyber criminals are learning to specialize, Gamble reveals. Part of this specialization is driven by local market conditions.

"Regulation varies from country to country. A criminal enterprise which might be highly profitable while difficult to prosecute in our part of the world is often explicitly forbidden and therefore easy to prosecute in another," Gamble says. "This variation forces malware developers to evolve, adapting to their particular marketplace in a similar manner to the way special animals adapt to their environment in order to survive."

The research report cites the example of "chargeware"--which is often built on the back of legal premium services. Chargeware is a particular problem in western Europe, the report explains.

"Chargeware is typically comprised of racy porn subscription apps that are intentionally very unclear about how they charge users," Lookout explains. "As a result, people often unknowingly run up huge fees or find themselves locked into services that are difficult to escape."

In contrast, adware is made up of aggressive, frequently malicious advertising SDKs, Linden explains. They can be bundled into ordinary apps, and developers are often paid to include them into their coding efforts.

Users are five times more likely to be attacked by adware then malware, Linden says, although to the victim, the distinction is often lost.

The Lookout research paid special attention to security threats from mobile computing, and Linden says the most important factor in an organization's vulnerability is user behavior. For example, if an employee engages in risky behavior once, they have a high probability of doing so again. This makes security education a critical part of an organization's defensive strategy.

As examples, the report cites the following statistics of repeat security threat activities:

  • If you've encountered adware once, you're twice as likely to download an app riddled with adware a second time;
  • Having a malware Trojan on your phone means you're seven times more likely to download another app with a Trojan;
  • A device with chargeware more than doubles your risk of encountering a Trojan in a different app you download; and
  • Your risk of downloading a Trojan triples if you're already downloaded a root enabler.

In conclusion, Lookout noted that as more organizations adopt BYOD programs, mobile devices will continue to be a favorite target of cyber criminals.

"As BYOD becomes more commonplace, rather than attacking traditional, heavily monitored network services, criminals will evolve once again using mobile devices as an easy way to get into the enterprise and access valuable data," Gamble says.

Related Articles:
DDoS attacks: Perfected by hacktivists, preferred by cybercriminals [FierceITSecurity]
Data breach could cost you up to one-third of customers
Cybercrininals offered new Porsche, Ferrari for best cyber-attack