50 Shades of Mobile Malware? Reduce the Risk and Practice Safe BYOD!


By David Abbou - Feb-26-2015

It’s amazing how fast mobile technology has become intertwined with both our personal and business lives. For BYOD users, their mobile device has fast become a one-stop shop for both work and play. In a world where there’s always “an app for that”, BYOD users are increasingly interacting with both work and personal apps on their smartphones. There’s really not much you couldn’t find out about many mobile users if you could peek into their browsing history or the apps they like to play with. But the virtual playground is one we also share with cyberattackers.

Take love and dating for example. Mobile users turn to dating apps like Tinder, OKCupid and POF in their pursuit of romance. But love in the mobile world is just about as risky as in the real world, only worse – you could infect your boss – or your company’s data to be precise! An IBM study of 41 popular Android dating apps revealed that more than 60 percent possess medium to high-severity vulnerabilities which are prone to cyber attacks.

73 percent of the apps examined obtain access to the device’s current and historical GPS location. Cybercriminals can exploit this data to identify the user’s home and work information and other preferred destinations. Other vulnerabilities surrender control of the device’s camera and microphone even when the user is no longer logged into the app, as well as storage and billing details to lurking cyber criminals. Once these vulnerabilities are leveraged to compromise device security, intruders can hack into the corporate network and steal sensitive information.

These threats of course extend beyond apps and can be added to the pile of mobile malware that comes from users surfing online on vulnerable dating sites. But let’s not forget the sexiest threat gaining prominence right now – ransomware. Spread through e-mail attachments and infected web sites and programs, this type of malware encrypts the victim’s data and demands some type of payment for the decryption key. Typically, ransomware manifests itself in one of two ways. The first is locking your screen entirely and displaying a full-screen demanding the ransom amount. The second scenario involves locking files such as documents and spreadsheets on the device with a password. Imagine the damage and chaos this could wreak to employees and their colleagues collaborating on important documents in addition to the risks of losing sensitive corporate data.

And you don’t necessarily need to be surfing one of those naughty sites to fall prey to this trap. In fact, a lot of ransomware injects your device with indecent materials with the aim of scaring you into paying rather than explain the embarrassing material found on your device.

So how can organizations and users practice safer BYOD?

Educate your users

You can’t stop what you don’t know. Your IT department needs to be in regular contact with HR and Communications. As they compile more knowledge on the latest malware and app security risks, practical security practices need to be delivered to all BYOD users. This isn’t a one-off event, it’s about creating a more educated workforce that’s better equipped for the new BYOD world. Like other major strategic organizational objectives, a security conscious mobile workforce should be a made priority and be incorporated into your organization’s orientation and employee communications programs. This is a long-term investment that will help your organization reduce mitigate mobile security risks. More employees will exercise caution if they are attuned to the dangers inherent in many consumer apps and why they should only download from authorized app stores.

Keep Corporate and Personal Data Separate

The more invested businesses of all sizes become in BYOD, the more important keeping corporate and personal data separate becomes for your organization’s security. That’s because the mobile app market – be it consumer or enterprise – is going to continue to grow at a prolific rate, and the security risks both old and new are sure to keep coming. App wrapping and other containerization methods can only take mobile security so far because the encryption keys that hackers seek are located on the device. Newer security approaches like Virtual Mobile Infrastructure have emerged that let organizations keep and control their enterprise apps and data on a remote and secured mobile platform. The apps are transferred to devices as a display using a single thin client app and deliver a native mobile user experience with both Android and iOS devices. No matter what your employees are downloading and what malware they may be attracting on their smartphones or tablets, their personal and enterprise apps will not be mixing and mingling in the same location. Which means IT can sleep a whole lot easier knowing their apps are away and safe from the never ending stream of mobile device and application threats.