malware protection

While a great convenience, mobile devices can be a great danger to your business. 

David Page, SecurityMetrics
By: David Page
Phones in the office are threatening your business and you may not even realize it.

Whether used as a POS device, storing and accessing sensitive data, or even making calls, mobile devices are being used more frequently in the office space. Here are some reasons why:
  • More convenient: Filling out information on a tablet is often easier to do than filling out paperwork. It also frees up space for paper work. 
  • Less expensive: a mobile device will cost much less than a POS device. A company can save even more by implementing a BYOD policy. 
  • More . . . mobile: this may sound obvious, but carrying around a mobile device is much easier than taking a computer everywhere. It gives you quick access to information right away. 
malware protection
To many companies, the rise of mobile devices is a great thing. Business can be done quicker, more efficiently, and with less paperwork.

But there’s also a downside to mobile devices, and that’s malware. Hackers are constantly working to steal data from mobile phones and tablets. You’ve probably seen examples of these attacks in the news. And the attacks are becoming more and more common. Malware attacks aimed at Android have increased over 76% in the past few months.

SEE ALSO: Is Your Business Infected? Malware Trends of 2016

Why are mobile devices so dangerous? 

Mobile devices in general aren’t as secure as computers. The same security measures that companies use for workstations and servers usually aren’t in place for mobile devices. Because of this, mobile devices may not be protected by things like firewalls, encryption, or antivirus software.

SEE ALSO: Top 5 Security Vulnerabilities Every Business Should Know

Yet more employees are using mobile devices to gain access to sensitive information. This puts their company more at risk for data theft.

How does mobile malware affect businesses?

Most businesses have corporate resources available from employee devices. Should any of these devices be compromised by malware, sensitive information could be captured.

A lot of the risk depends on how your mobile environment is set up and how your employees can access sensitive data.  Unless you have policies and controls in place regarding mobile devices, your employees are probably accessing sensitive information from their mobile devices, information that can be stolen by malware.

SEE ALSO: Stop Looking for a Mobile Security Standard

But how does the malware get on your phone?  Here are 5 ways your mobile device can get malware.

1. Downloading malicious apps 

The most common method hackers use to spread malware is through apps and downloads.

The apps you get at an official app store are usually safe, but apps that are “pirated,” or come from less legitimate sources often also contain malware. These are apps that appear to be legitimate, but instead contain spyware or other types of malware.

Occasionally an app with malware will make it through to an official app store. One recent example is InstaAgent, an app that stole Instagram user credentials and sent them to a third-party server without the knowledge of the user. These apps are usually discovered and taken care of quickly, but they illustrate what can happen.

Sometimes developers will use pirated development tools, which have been compromised. Everything developed using these tools will then contain malicious code, which may steal sensitive data or damage the mobile device.

SEE ALSO: Code Reviews: A Method to Reveal Costly Mistakes

Be choosy when downloading apps, and download only from reputable app stores. That usually prevents you from coming across malware-infected apps.

2. Using a mobile device with operating system vulnerabilities

Often the mobile device itself may have vulnerabilities that hackers can exploit. Usually these vulnerabilities are discovered fairly quickly and patched up, but if you’re not regularly updating the software on your phone, your device will be vulnerable.

It’s critical to keep your mobile device up to date just like any other computer, or hackers can exploit those discovered vulnerabilities.

3. Opening suspicious emails

More employees are using their phones to look at and answer corporate email, which is a way hackers can install malware on your phone.

Here’s an example: you receive an email that says you’ve won something (a tablet, a vacation, etc). You open the email and click on the link, and nothing happens, or you’ve been taken to a dummy site. But malware was downloaded and installed on your phone. The data on your phone may now be exposed to that hacker.

Just like on your computer, avoid opening suspicious emails on your phone.

SEE ALSO: 7 Ways to Recognize a Phishing Email 

4. Using Insecure Wi-Fi/URLs

mobile malwareIf you’re accessing insecure websites, you run the risk of exposing sensitive data transmitted from your device.  You’re also more susceptible to man-in-the-middle attacks, and being exposed to malware. Avoid using insecure websites and Wi-Fi networks, and consider using antivirus protection and a VPN on your phone to secure Wi-Fi communication.

The browser itself on your phone could also be a source of vulnerabilities. This can lead to web browser attacks. Attacks like these are more common on android devices. Make sure you have the most current version of whatever browser you use.

5. Receiving text message/voicemail phishing

You may get a text message or a voicemail from what appears to be a legitimate source asking for personal information either about you or your device.

Hackers often use this information to steal whatever data they can, including social security numbers, credit card data, etc. They may even be able to use it to make a targeted attack to install malware on your phone.

Whenever you get a text like this, call the company on their legitimate phone and verify with them. Never give out sensitive information through a text.

Tips to secure your mobile device

The good news is while your mobile device may be at risk for being infected by malware, there are some easy things you can do to avoid it. Here are some ways to keep your device secure:
  • Don’t jailbreak your device: Jailbreaking your device removes a lot of its built-in security. While this may let you do more with your device, it also leaves it more vulnerable to attacks.  
  • Use a VPN: A virtual private network is a secure “tunnel” that lets you access and share information securely over public Wi-Fi networks. 
  • Download apps only from reputable sources: Unofficial app stores are more likely to be sources of malware-infected apps. 
  • Encrypt your data: If you have sensitive data on your mobile device, make sure it’s encrypted. It will then remain secure, even if malware steals it. 
  • Do mobile vulnerability scanning: You can’t prevent what you don’t know about. Use a vulnerability scanner like MobileScan for your mobile device. 
  • Update software and hardware: Companies often release updates on mobile devices that address potential vulnerabilities. 
  • Train employees: Your employees should know about malware and taking the right measures to avoid it. Include mobile device security in your training
  • Have mobile device policies in place: Whether your company owns the devices, or your employees use their own, you need to have security policies set up that address the use of mobile devices. 
When it comes to data security, you need to treat mobile devices the same way you treat servers and other computers. Hackers are constantly finding new ways to steal information from mobile devices.
If you aren’t securing your mobile devices, your company’s sensitive data could be at risk.
Even though mobile devices can be hard to fit into a traditional network or data security model, they need to be considered. It's critical to include them in your information security planning!

David Page is a Qualified Security Assessor and has been with SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.

data security learning center, SecurityMetrics