April 18, 2019 9:00am CDT (14:00 GMT) | 30 Minutes
Since its inception, “antivirus” has been the shorthand term for solutions designed to prevent cyberattacks against endpoints from laptops to servers. On traditional endpoints (e.g., Windows, Linux), this lexicon has been fairly accurate since “viruses” (or their related cousins like worms, remote access trojans, etc.) were the primary threats. On those operating systems, applications have been allowed to interact with other applications. While this was useful for security applications like antivirus because they could neutralize or remove malicious applications, the malicious applications could also move laterally into other applications to create havoc and avoid detection.
The majority of “endpoints” accessing corporate data and networks are now mobile devices. As a result, the shorthand some use to describe the needed endpoint protection is “mobile antivirus”. Is the term correct, or should it be the broader terms of “mobile security” or Gartner’s “mobile threat defense”? For simplicity, we will refer to solutions as “mobile antivirus”. Regardless of terms, here are the top five facts security professionals need to know about mobile antivirus.
By definition, mobile antivirus has two parts: mobile and antivirus / security. It is important to recognize that mobile platforms have some major differences from their predecessors… and that the principles of security are still very much the same.
Unlike earlier platforms, mobile devices have closed operating systems (preventing much of traditional antivirus solutions’ protection) and users are the admins (they decide when to do updates, which networks to connect to and which apps to install). Very importantly, apps are all in “containers”, which means that apps are in their own buckets and cannot interact with each other at all.
While mobile is different, the principles of security are not. First, hackers still employ the “land and expand” strategy. Given the fact that most mobile devices have no protection, they are the perfect place to land. Second, targeted attacks rarely use well-known exploits or apps. Mobile antivirus must be able to detect previously unseen attacks, and not just known ones. Third, if attackers take the time to compromise any system, including mobile devices, they will do whatever they can to remain persistent. Once they own a device, they want to use it for as long as possible.
Despite mobile antivirus referencing back to “viruses” and other apps, mobile malware is not a major issue for enterprises for two primary reasons: containers and efficiency. As mentioned before, mobile apps are in containers. Since apps cannot interact with other apps, mobile malware is largely for fraud against owners of that app or potentially as a delivery mechanism for a complete device compromise (Fact #5). Then there is efficiency… If a hacker is attacking a specific organization, there are far more efficient ways (wait for Facts #3 & 4) to do so than a container-constrained app.
According to Verizon, 90% of security breaches begin with a phishing attack. Almost two thirds of all emails are read on mobile, and attackers also use other vehicles that are largely mobile such as texts and instant messages to phish. As a result, mobile antivirus solutions must account for the rising threat of mobile phishing. When a victim accesses a phishing site, not only can credentials be stolen (likely including the same password the victim uses for all accounts, personal and professional), but an exploit can be delivered to compromise the device (Fact #5).
Zimperium research has shown that 80-90% of all targeted mobile attacks against an organization begin with a network attack. Rather than dropping an app in the App Store or Play Store and hoping someone from the targeted organization will download it (and then having to break out of the app container), it is far more efficient for an attacker to set up a false WiFi network (a.k.a., “rogue access point”) or do a man-in-the-middle (MITM) attack where he knows the employees are.
Mobile antivirus solutions must be able to detect these network-based threats and also be able to function even when one is occurring. As a practical matter, that means all detection must occur on-device and not rely on a cloud. Once an attacker controls the network, he will immediately terminate access to any cloud-based mobile antivirus solution, rendering that solution useless.
Mobile devices are largely unprotected, so are any easy target for hackers. Given the unique characteristics of mobile devices, including apps being in containers, the only way for attackers to remain persistent is actually elevate privileges and compromise the device. As a result, mobile antivirus solutions must be able to detect and stop any device compromises regardless of how they occur (e.g., gaining root access, tricking users into installing malicious profiles).
The world’s leading mobile threat defense / mobile antivirus solution, Zimperium zIPS, was designed to protect enterprises against the threats included in these facts. Only zIPS protects against device, network, phishing and app risks and attacks in real-time, on-device.
To learn more, please contact us