Of course, it’s not just the app stores’ fault. Users can fall victim to malware in the form of email phishing attacks or even data passed through enterprise cloud storage services. Even a perfectly disciplined user can be infected through an advertising network that serves malicious content, taking advantage of mobile security flaws.
Finding Infected Devices
The first sign of a mobile malware infection can be one of these end-user complaints:
Their device is running slowly.
Certain applications crash that used to run smoothly.
They are suddenly using a lot more data.
Their battery doesn’t last as long as it used to.
Some new application was installed that they don’t recognize, or they’re getting popups that they didn’t see before.
Their phone bill shows charges for subscriptions services or premium SMSes.
IT managers should make sure that help desk teams know to look for infections when they see any of these issues. Having a list of signs to look for as part of user education campaigns is also a good idea, as it encourages alert users to report problems early.
Detecting Issues Early
Enterprise detection tools can help quickly identify issues. Since most mobile users switch to enterprise Wi-Fi when in the office, traditional Intrusion Prevention Systems (IPSes) and Unified Threat Management (UTM) firewalls that detect connections to command-and-control (C&C) servers or suspicious DNS lookups are also a big help.
IT managers should identify these specific types of alerts, configure their IPS or SEIM to generate an infection report, and make sure that they are reviewed for potential malware infection. Enterprises that have security proxies in place for web traffic should also be reviewing those logs for possible infected hosts.
Where possible, IT managers should try and put into place alerts with their telecommunications carrier to let them know when users are subscribing to services or sending premium SMSes. Blocking these types of charges is also an approach, but a better idea is to put in modest limits, such as $10 or $25 a month. This provides the footprints needed to help track down an infection, while a simple block might let malware run without detection because no one is seeing unusual charges.
Naturally, if an endpoint security solution is installed, those logs should also be reviewed to identify infected systems. When the logs indicate that the endpoint security solution is preventing a malware infection, that’s also useful information. IT managers should be following up on these types of alerts or logs to find users who have a high likelihood of future infection because they’ve downloaded an infected application or are engaging in risky behaviors.
Some smartphones, including Samsung’s latest devices with Knox, have built-in additional self-checking features that help to identify compromised devices. Posture checking, also called attestation, is a way for a device to check it is running the proper configuration and is often used in Network Access Control (NAC) deployments. With posture checking, the smartphone checks itself.
Details can vary, but typically posture checking includes verifying that the right applications are installed and running correct configurations, and the operating system is at the right version and patch level, without unknown components running or installed. Posture checking in smartphones is enabled through the mobile device management (MDM) or enterprise mobility management (EMM) configuration tools. When a device’s self-check fails, an alert will show up in the logs.
As with endpoint security logs, MDM and EMM logs should be reviewed carefully for posture check failures, as these usually indicated compromised mobile devices. Both endpoint security and MDM/EMM logs can be fed into enterprise SEIM to simplify the review process.
Keeping malware from exploiting mobile security vulnerabilities to get a foothold on your user’s devices is hard. If it were easy, we wouldn’t have this problem anymore. While this advice to IT managers is not particularly inspired or new, it is worth repeating.
Your first and best defense against mobile malware is an educated user, one who knows what to do, what not to do and when to seek help. It’s unfortunate that this is true, but it is: users shouldn’t have to know everything about security and shouldn’t have to be in constant fear of being hacked — but the state of IT security today requires their help.
Naturally, there’s technology you can bring to the table to help avoid infections as well. A base installation of anti-malware tools should be a part of your enterprise configuration. Mobile anti-malware is much more than looking for viruses; good products know about bad applications, can filter malicious URLs, look for misbehaving processes and provide centralized control and reporting. Typical MDM/EMM settings, such as application whitelisting/blocklisting and application store whitelisting, should also be used to help prevent bad applications from being installed.
Finally, it’s worth investigating built-in protections to your mobile platform that can help prevent malware infections in the first place. For example, Samsung smartphones include Security Enhancements for Android (SE for Android), a type of access control mechanism that prevents applications from exceeding their authorized boundaries.
SE for Android by itself can block some kinds of malware attacks, but Samsung also uses over-the-air updates to the SE configuration when new malware is identified, to further tighten controls. Samsung’s Knox Workspace, a containerization solution that isolates and encrypts enterprise data so that non-enterprise applications can’t see it, can help to mitigate malware damage as well.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.