When IT professionals describe solid security design, they use the phrase “defense in depth.” The idea is simple: You can’t depend on just one defense to thwart attackers. Multilayered security is critical. Software can have bugs, configurations can be insecure, users can be misled, and even hardware can have vulnerabilities — despite engineers’ best efforts to build trustworthy products.
Mobile malware is a broad term that includes everything from adware to ransomware to more sophisticated attack tools that try to take over your entire device. It can infiltrate your device through an app, a web browser, or a hardware vector — even an innocuous-looking USB charging port in a coffee shop.
How should you protect your device from malware?
So, how should you protect your device from malware? To ensure your personal and confidential information is always secure and protected against mobile malware, Samsung applies extensive defense in depth to its hardware and software engineering.
Keeping mobile malware at bay
Your first line of defense against malware is right at the top: the Google Play Store and Google Play Protect. If you’re familiar with Windows anti-malware solutions, Google Play Protect is roughly the same, but extended to include the Google Play Store itself, both before and after an app is installed. Aside from app analytics and controls in the store itself, Play Protect also has a scanning component that runs on every Android phone. Automatically updated from Google’s cloud, the scanner uses machine learning to identify malware — what Google calls Potentially Harmful Applications (PHAs). The daily Play Protect scan finds harmful apps anywhere on your device, including in apps from other app stores. Once these apps are found, Play Protect will notify you so you can immediately delete the threat and maintain device security.
Android app installation comes with another useful protection, app signing, which gives a cryptographic “stamp” to each app from its developer. This prevents malware from masquerading as coming from this trusted developer and also detects if an authentic app is modified along the path from the developer to the app store to your device. The app’s signature is also used to enable trusted communication between apps from the same vendor. If you’ve ever noticed how apps from the same vendor don’t require separate sign-ins, this is sometimes why. Android app developers know that sensitive account information and data are safe to share between their own apps (and not with third-party apps) through these trusted channels built right into Android. The cryptographic signatures that tag their apps provide this invisible sandboxing that simplifies the user experience — while better protecting the sensitive data their apps manage.
Enterprise IT managers can bolster Play Protect by both using Samsung Knox to create their own app controls, such as limiting which app stores are accessible to users, and setting up app allowlists and blocklists. Samsung Auto Blocker can stop the side-loading of apps from unknown sources, even if users accidentally approve them. The blocker can also block USB updates to prevent malicious software from being installed. These features are part of Knox Manage, one of the Knox application programming interfaces (APIs) used by mobile device management (MDM) solutions to give IT managers control over their enterprise’s Samsung devices. Knox Manage provides IT admins with hundreds of policies to manage mobile fleets. By using these MDM tools to configure tight app controls, IT managers gain an additional layer of anti-malware.
Defending against mobile phone malware
If you can keep malware off your smartphones in the first place, you’ve won the battle already. But if something gets through the cracks, “defense in depth” means you’re still protected. Even when malware has made it onto your device, it’s only dangerous if it can perform a malicious action or leak sensitive data. So let’s take a look at Samsung’s defensive security layers that contain these threats:
Malware may first try to exceed its normal limits, such as what files it can read and write. Security-Enhanced Linux (SELinux) creates mandatory access controls (MACs) in Unix-based operating systems. In Android, it’s called SE for Android, a core technology that protects against apps reaching out beyond their intended limits. SE for Android provides app isolation far beyond what’s possible with normal Unix discretionary access controls and Android app permissions. SE for Android builds in mandatory rules that ensure certain actions are simply never allowed, regardless of how creative the attacker is. It can also ensure that some permissions may never be granted, except to apps and services created and signed by Samsung and Google, for example. These mandatory rules add an extra security layer on top of the typical app permission model and act as a critical safeguard in our mobile defense-in-depth design. And like many Android security features, it’s there because Samsung worked to create it.
SE for Android’s protections are OS-focused, but sometimes malware is aiming in another direction: trying to bypass device hardware policies to gain unauthorized access to peripherals like the camera or microphone to spy on users. While users and IT managers can use app permissions to inspect and control which apps have access to which peripherals, Samsung devices have an exclusive security layer — called Hypervisor Device Manager (HDM) — which adds critical hardware protection against this threat. HDM specifically targets physical sensors and communication chips like your camera, microphone, Bluetooth and Wi-Fi chip. If a mobile phone malware author finds a software flaw that would otherwise grant them direct access to your microphone or camera, our HDM system can still block access at the hardware level. It can even trigger automatic physical lockout of such peripherals upon detection of device compromise or device rooting. Even in cases where the entire OS is replaced or compromised, HDM can still enforce your device’s peripheral policies. HDM is one of our strongest layers of defense in depth to prevent hacking of all types.
IT managers can add yet another layer of anti-malware by using app containers, which isolate apps into different categories — essentially separate smartphones — typically one for work and one for home. When apps are isolated, they’re prevented from interacting with each other (and their stored data), which is enforced by the OS itself as a function of the app separation itself. If a user manages to install mobile malware in their smartphone’s “home” container, the app can’t reach over into the “work” side to steal corporate data. Samsung’s Separated Apps feature fine-tunes this idea by letting IT admins create a partition for a single app — a way of safely installing a smartphone app you don’t completely trust. Separated Apps could be used to allow the installation of a third-party app, such as for ride-sharing, while ensuring the app has no visibility into the phone’s data or contacts.
Build a successful BYOD plan for your business
Get our comprehensive guide and template for developing a BYOD policy tailored to your organization. Download Now
Alternatively, malware might focus on stealing something highly valuable: your passwords or biometrics. This is where pairing Android with TrustZone Trusted Execution Environments (TEE) and Samsung Knox Vault are most effective. TrustZone has been integrated with Android for years as a way to isolate the management and storage of secure data, such as encryption keys. Normally, TrustZone TEEs are built right next to the Android OS and run in parallel on the main CPU chip. Knox Vault takes the concept a step further, providing a separate secure processor and isolated secure memory to provide greater shielding from side-channel attacks. Meanwhile, Knox Guard allows IT managers to lock and wipe lost or stolen devices, ensuring that sensitive data remains secure even if the device is compromised.
Safeguarding the mobile OS
If malware can’t easily grab your data, the next step for hackers is to try to crack into the OS in order to break through the fences surrounding it. Samsung’s Knox Active Protection and Defeat Exploits (DEFEX) technologies provide a layer of defense against this type of attack. Real-time Kernel Protection (RKP), for example, detects and prevents modifications to Android’s kernel. DM-Verity also ensures that the file system that stores the OS hasn’t been touched. DEFEX puts fences around privileged processes to ensure that only authorized apps can run with these permissions.
Sometimes malware takes yet another approach: Instead of cracking through the heavily armored OS, the malware tries to break in by making changes that can compromise the system on the next reboot before any protections are loaded. Samsung phones secure the boot process and the integrity of the OS during boot via multiple built-in hardware protections: Secure Boot, Warranty Bit, rollback prevention, tamper detection and TEE software that peeks over the wall into the OS to ensure malware hasn’t snuck in. Knox Enterprise Firmware Over-the-Air (E-FOTA) provides enterprises with control over their software updates, allowing them to validate, approve, and deploy new versions of the OS across their device fleets so that all security patches are applied promptly.
Samsung takes defense in depth to heart. We’re always working to defeat malware, from the app level all the way down to the hardware. If you want to learn even more about how you should protect your device from malware and the extended security management capabilities built into our enterprise-grade smartphones and tablets, just reach out.
Learn five ways Samsung is tackling mobile security with Samsung Knox. And discover how Samsung’s defense-grade Knox security helps protect your most important mobile data from the chip up.