Security Central: Mobile Malware Is Here — Are Your Clients Ready?

There is no question that the mobile age has arrived and is here to stay, and a new report from McAfee this week confirms that with it comes a robust market for criminals around mobile malware. In fact, the report is speculating this will be “the year of mobile malware.” What does that mean for MSSPs?

First, let’s break down some of the findings.

McAfee Labs detected more than 16 million mobile malware infestations in the third quarter of 2017 alone, nearly doubling the number seen a year earlier.

Noting mobile malware is expected to be a billion-dollar industry for criminals beyond 2020, the trend also means the mobile-security market is one MSSPs must be paying attention to now.

“In the current threat landscape, a full-edged campaign exploiting ad-click fraud or pay-per-download scam (a market valued around $40 billion in 2018) or a prevalent banking Trojan could potentially bring in revenue of $1-2 million,” the report states.

The report also notes that older attack vectors once seen on mobile, such as  premium text messages and toll fraud, have been replaced by botnet ad fraud, pay-per-download distribution scams, and cryptomining malware. Cryptocurrency malware and banking Trojans also increased in prevalence in the last year.

While iOS certainly isn’t immune to mobile malware, the majority of threats are still found in the Google Play store and are designed to target Android devices. The number of threat families found in Google Play increased by 30 percent in the last year, the report says.

Financial Services Hit Hard

With mobile banking an integral part of life for many smartphone owners, 2017 saw an increase in malicious banking Trojans, such as the Android/Marcher malware, that take advantage of the auto-install vulnerabilities in the Android platform. It victimized millions of Google Play users by impersonating legitimate apps for video players, Flash players, games and system utilities, according to the research.

“We have also seen mobile banking Trojans delivered as fake updates or through targeted email or SMS phishing,” the report states. “But the most sophisticated so far has been the Android/LokiBot malware, which takes all the functions of Android/Marcher and adds cryptoransomware capabilities, among other malicious activities.”

McAfee says this type of malware can encrypt files and lock devices, send fake notifications to entice users to open their online banking apps and even give cybercriminals the ability to impersonate the victim’s IP address to commit additional fraud.

McAfee researchers believe Android/LokiBot has targeted more than 100 financial institutions around the world and has generated close to $2 million in revenue from kit sales on the dark web.

In the last year, researchers also saw an 80 percent increase in malware related to bitcoin mining.

Conversations to Have With Your Customers

It’s crucial to include strategy around mobile in your discussions with clients now.  In addition to a multilayered mobile-security approach with products and services, there are best practices you should be assisting your clients with developing in order to best defend against this rising tide of mobile threats.

Consider these topics when having the conversation around mobile:

• App stores — What is the policy for downloading apps among users? As the report notes, apps can’t always be trusted, even if they come from trusted sources such as the Google Play store. Educate users to identify copycat apps by giving them tips like verifying the app maker’s name before downloading. Users should always avoid third-party app stores.
• BYOD — Bring-your-own-device policies have become common in workplaces. But they can’t be implemented without security considered first. BYOD allows employees freedom that often leads to more productivity and higher morale, but users should be given a set of policies to adhere to, including regular backup of data and agreeing not to jailbreak their devices that access the corporate network.
• Awareness – Awareness training around mobile is just as important as any other place in the security strategy. Your clients should be educating their end users around key defense tactics, such as learning how to identify phishing emails and texts, and to stay away from unprotected Wi-Fi.

With mobile exploitation only expected to rise in the coming months, the opportunity is now for MSSPs to take a position of knowledge and authority on the risks clients face and assist them with tools and tips for keeping sensitive data protected.

Who is Security Joan? We’ll never tell, but all you really need to know is that she’s a huge Steely Dan fan (as if the nom de plume didn’t give it away). She’s also a veteran infosec journalist who has covered the evolution of the cybersecurity industry, its shadowy criminal underworld, and the good people trying to stop them for more than a decade. In addition to our weekly Security Central column, Security Joan helps inform the Channel Futures cybersecurity coverage with her sizable expertise. Say hi on Twitter @Security_Joan or shoot her an email at shadowysec@gmail.com.