Mobile Antivirus

By definition, mobile antivirus has two parts: mobile and antivirus / security. It is important to recognize that mobile platforms have some major differences from their predecessors… and that the principles of security are still very much the same.

Unlike earlier platforms, mobile devices have closed operating systems (preventing much of traditional antivirus solutions’ protection) and users are the admins (they decide when to do updates, which networks to connect to and which apps to install). Very importantly, apps are all in “containers”, which means that apps are in their own buckets and cannot interact with each other at all.

While mobile is different, the principles of security are not. First, hackers still employ the “land and expand” strategy. Given the fact that most mobile devices have no protection, they are the perfect place to land. Second, targeted attacks rarely use well-known exploits or apps. Mobile antivirus must be able to detect previously unseen attacks, and not just known ones. Third, if attackers take the time to compromise any system, including mobile devices, they will do whatever they can to remain persistent. Once they own a device, they want to use it for as long as possible.

Despite mobile antivirus referencing back to “viruses” and other apps, mobile malware is not a major issue for enterprises for two primary reasons: containers and efficiency. As mentioned before, mobile apps are in containers. Since apps cannot interact with other apps, mobile malware is largely for fraud against owners of that app or potentially as a delivery mechanism for a complete device compromise (Fact #5). Then there is efficiency… If a hacker is attacking a specific organization, there are far more efficient ways (wait for Facts #3 & 4) to do so than a container-constrained app.

According to Verizon, 90% of security breaches begin with a phishing attack. Almost two thirds of all emails are read on mobile, and attackers also use other vehicles that are largely mobile such as texts and instant messages to phish. As a result, mobile antivirus solutions must account for the rising threat of mobile phishing. When a victim accesses a phishing site, not only can credentials be stolen (likely including the same password the victim uses for all accounts, personal and professional), but an exploit can be delivered to compromise the device (Fact #5).

Zimperium research has shown that 80-90% of all targeted mobile attacks against an organization begin with a network attack. Rather than dropping an app in the App Store or Play Store and hoping someone from the targeted organization will download it (and then having to break out of the app container), it is far more efficient for an attacker to set up a false WiFi network (a.k.a., “rogue access point”) or do a man-in-the-middle (MITM) attack where he knows the employees are.

Mobile antivirus solutions must be able to detect these network-based threats and also be able to function even when one is occurring. As a practical matter, that means all detection must occur on-device and not rely on a cloud. Once an attacker controls the network, he will immediately terminate access to any cloud-based mobile antivirus solution, rendering that solution useless.

Mobile devices are largely unprotected, so are any easy target for hackers. Given the unique characteristics of mobile devices, including apps being in containers, the only way for attackers to remain persistent is actually elevate privileges and compromise the device. As a result, mobile antivirus solutions must be able to detect and stop any device compromises regardless of how they occur (e.g., gaining root access, tricking users into installing malicious profiles).