Mobile Security Poses Threats and Opportunities

With some two-thirds of adults using the Internet to access personal and business information on the go, cyber criminals are finding mobile devices an increasingly attractive target.As more people store things of value – whether it be passwords, corporate secrets, or money — on their mobile devices, the darker side of cyberspace is finding its way onto phones. The viruses, trojan horses, botnets and phishing that plague the PC world are now becoming commonplace on mobile devices. The problem is aggravated by the fact that mobile networks and Wi-Fi are more vulnerable than fixed-line networks to hacking. And wireless devices are by definition mobile, making them susceptible to loss and theft. (A 2012 Norton Cybercrime report found that 35% of people have had a mobile device lost or stolen.)

Today only one in 20 smartphones has any kind of security software, but experts predict it won’t be long before those who use their Android phone, iPhone, tablet or other mobile device without some anti-virus protection will be the exception rather than the rule.

Such threats open opportunities for both existing and new businesses. Big names in computer anti-virus software such as McAfee, Symantec’s Norton AntiVirus and Avast are targeting the sector. Symantec, for example, released a new version of Norton Mobile Security in November which scans the phone for malware, heads off potentially dangerous apps, can use GPS to locate a lost phone, and has an alarm function that screeches when activated. The various services also generally back up data on the phone including contact lists, text messages and media including audio and video files. Meanwhile, start-ups such as Lookout, Prey and Zenprise (see box), which focus exclusively on securing mobile devices, are attracting tens of millions of dollars in investment from top-tier Silicon Valley and European venture capital firms. Expect these companies to be flogging their wares on February 25-28 at Mobile World Congress in Barcelona; MWC is an annual industry gathering that is expected to attract 70,000 visitors this year. (Lookout is a finalist for the GSMA’s annual Global Mobile Award in the category of best mobile safeguard & security products and services. The winner will be announced at the show.)

“Mobile devices aren’t secured in the same way as a computer and that makes them an appealing target,” says Louis Marinos, a senior expert on risk management at the European Network and Information Security Agency (ENISA). “A hacker might not attack a mobile device for what is on that device, but rather as a way to get access to a PC or maybe the credentials to log into cloud services.”

The proliferation of cloud computing has in fact created a new challenge for companies as they confront mobile security. “Part of the problem is the mobile device, part of the problem is the cloud,” says former Cisco executive Mike Volpi, a San Francisco-based partner at Index Ventures, an investor in mobile security start-up Lookout. “A lot of mobile devices are just a gateway to the cloud so in part you’re protecting what’s on the device, but at the same time you are also managing the access privileges.”

While the smartphone market and the threats are expanding quickly, almost half of the 13,000 people surveyed in 24 countries for the 2012 Norton Cybercrime report said they did not know that security solutions are available for mobile devices.

While consumers are largely unaware of the threat, corporations have begun scrambling to protect their devices as well as employees’ personal devices, which are increasingly used to access corporate data, a trend known in the industry as bring your own device (BYOD).

“Once upon a time the only thing people brought into work was a feature phone or a normal mobile phone,” says Volpi. “Now it’s BYOD – iPad, smartphone and even laptops and on those devices there’s a mix of personal and corporate assets that enterprises are struggling to figure out how to protect. This is a big-time priority in 2013 and for companies it is one of the top three issues facing CIOs [chief information officers].”

A recent report from ENISA lists mobile computing as a key emerging threat. The ENISA report found that the most pervasive threat for cyber security in general and mobile devices in particular is so-called drive-by exploits in which people unwittingly download a virus or other malware (see chart for the full list).

What’s more, notes the Norton report: almost a third of people have received a text message from someone they didn’t know requesting that they click on an embedded link or dial an unknown number to retrieve a “voicemail.”

Though Google’s introduction of Google Bouncer has had some success in protecting Android devices, the operating system is the most targeted by hackers both because it is the most used and because it is open source. About two-thirds of all threats are targeted at Android with almost a third directed at Symbian, according to an F-Secure Mobile Threat Report for the third quarter of 2012. The small number of remaining threats are about equally split between Windows Mobile, Blackberry, iOS and Java.

Mobile phone operators are reacting by offering security as a differentiating factor and have begun preloading anti-virus software on their devices. Late last year T-Mobile and Orange said their Android phones will come preloaded with start-up Lookout’s app-scanning software. Verizon also late last year started offering security features to its customers.

More operators are expected to bundle security software in their offerings. Volpi says there is space for the operators to collaborate with the likes of Lookout by sharing data that can help track down hackers.

“If we see, for example, that a particular area — say Russia or Germany — has a virus that is spreading then we can communicate with operators to let them know it is happening and then they can take preventive measures,” says Volpi.

Trouble is cyberhackers know no borders, making them difficult to catch. And as soon as one patch is invented, they seem to find other holes to exploit. Despite the best efforts of security companies and operators, the cat and mouse game with cyber criminals is likely to continue on mobile phones for some time to come.