Mobile Malware's Growth Slows, Nastiness Grows

The good news about mobile malware in 2015 is that growth has slowed down. The bad news is that the malware entering the market is more virulent than ever.

While there hasn't been a sharp rise in the volume of mobile malware this year, the increasingly malicious nature of the types of malware and attacks is alarming, Blue Coat Systems said last week in its 2015 Mobile Malware Report.
"Ransomware is getting more evil, more robust, similar to the evolution it followed on the desktop," said Chris Larsen, a senior malware researcher at Blue Coat.

For example, one ransomware strain resets the personal identification number on an Android phone. The ransomware can be foiled by resetting the phone to its factory settings, but in the process, the contents of the mobile will be lost.
The PIN reset malware appears to have been written by a cyberversion of the Gang Who Couldn't Shoot Straight. That's because it replaces a user's PIN with a random number that's unknown not only to the user but also to the extortionists.

Don't Live in Russia

While researchers find many new variants of mobile malware every day, the average mobile user isn't encountering them, Blue Coat reported.
"The standard advice is don't jailbreak or root your phone, get your apps from the Apple Store or Google Play, and don't live in China or Russia," Larsen told TechNewsWorld.
"And don't surf for porn," he added. "We've seen porn sites linked to a lot of ransomware."
Warning users about risky behaviors, though, many times reaches deaf ears.

Phishing Knows No OS

"The challenge for security leaders is that no matter how much you train your staff about security, there always seems to be that one employee who downloads a porn app directly from an untrusted third-party website to their phone," said Ken Westin, a senior security analyst at Tripwire.
"To our horror, those individuals are then connecting their devices to the corporate WiFi or accessing corporate email and documents from that same infected phone," he said.
While more malware is being written for the Android platform than for Apple's iOS, the most effective attacks on mobile phone users remain agnostic, Blue Coat reported.
"Phishing scams don't care what kind of device they're on. Luring people with porn doesn't care what kind of device it's on," Larsen said.
"The device will affect what kind of payload a bad guy can do," he added, "but if you're just trying to scam information, the device doesn't matter."

Beware Wearables

A recent proof of concept by a security researcher described how a fitness band could be hacked to infect a personal computer with malware. Although only a theoretical exercise, it's one that should open the eyes and minds of IT departments everywhere.
"Enterprises have enough problems handling regular computing assets -- laptops and things like that -- from a cyberdefense perspective," said Ben Johnson, chief security strategist at Bit9 + Carbon Black.
"Now you start factoring in watches and other devices that everyone who walks off the street can have and it's going to be a nightmare," he told TechNewsWorld. "It increases the surface area for attacks tremendously."
A big driver behind acceptance of employee mobile devices in the workplace was productivity. That's not the case with wearables.
"The reason and benefit for allowing them is not as clear," Johnson said. "However, it's going to be hard for IT or the security team to inspect everyone's watch and see if it's a regular watch or a smartwatch."

Bring Your Own Tools

Even if organizations had the resources to monitor wearables, it's doubtful they would do so.
"They're not going to try to prevent you from wearing your special watch, your Fitbit or your heart monitor to work," Johnson said.
"I've had CISOs tell me, 'When I hire a carpenter to come to my house, I don't give him his tools. When I hire a programmer, I expect him to show up with what he needs to do his job,' " he added.
Moreover, because of the shortage of qualified technical personnel, "you're at the mercy of offering perks and allowing flexibility," Johnson said.
Owners may perceive their wearables as innocuous, but any device with wireless connectivity can be a threat.
A CEO taking a noontime run in the park, for example, could have his fitness band or heart-rate monitor infected by a fellow runner or someone lurking in the weeds with a laptop. When the CEO returns to the office, the infection can jump from the wearable to a device connected to the corporate network.
"There hasn't been proof that anything like that exists yet, but that's not far off," Johnson said.

Senate OKs CISA

The U.S. Senate last week approved and sent to House the Cybersecurity Information Sharing Act on a vote of 74-21.
"The bill essentially allows for a loose interpretation of 'cyberthreat intelligence' and makes companies immune from prosecution by allowing them to share it with any government agency directly, including the NSA," said Justin Harvey, CSO of Fidelis Cybersecurity.
"This moves us back into an Edward Snowden situation where companies can collect metadata on citizens under the thin veil of collecting threat data and share it directly with the NSA," he added.
When passing the measure, the Senate rejected a number of amendments that opponents maintained would protect the privacy of individuals.
"By failing to require companies to remove all personally identifiable information prior to sending data to the government, today's vote in the Senate potentially exposes the online activity of millions of Americans to collection and storage, while doing little to protect us from hackers or other bad actors," said Virginia Sloan, president of The Constitution Project.
"It also opens the door to law enforcement and intelligence agencies obtaining without a warrant sensitive personal data ordinarily protected by the Fourth Amendment," she added.

One-Way Sharing Must End

The Senate's refusal to include privacy protections in the bill ultimately could sabotage it should it become law, maintained Seculert CEO Richard Greene.
"My concern is that until those issues are addressed, many in the private sector will choose not to participate, which will ultimately limit the effectiveness of the entire program," he said.
When the subject of sharing threat intelligence arises, two barriers commonly are cited. One, liability, is addressed in the Senate legislation. The other, willingness by secretive government agencies to share high-level intelligence with the private sector, is not.
"If the bill would open up unique threat intelligence to the private sector, then it's worth doing," said Chris Petersen, founder and CTO of LogRhythm.
"If the bill only allows for the private sector to share with the public sector, then it probably isn't worth doing," he told TechNewsWorld.
"The free market is doing a pretty good job now of sharing industry-to-industry threat intelligence. What isn't available is the unique intelligence held by the likes of the NSA, CIA and DOD," Petersen noted.
"If this bill would unlock that kind of intelligence so we can protect our critical infrastructure, there's a value in that," he continued.