Mobile malware meets BYOD

Mobile malware is growing at an explosive rate, a trend that began in 2011 and continues to gain velocity – just as bring-your-own-device strategies are gaining greater acceptance in government offices. 

A new report from Alcatel-Lucent notes that infections of malicious software in mobile devices surged by 20 percent in 2013, and the tech communications company estimates that more than 11.6 million devices are infected at any given time. The majority of malware targets Android devices, which could be a serious concern for agencies as they open up their networks beyond the once-dominant Blackberry platform. 

It is particularly dangerous when it comes to introducing and facilitating advanced persistent threats on networks, the report notes. 

"The smartphone presents an excellent platform for advanced persistent threat and cyber espionage attacks against corporate and government networks," the report’s authors wrote. "Malware deployed on a smartphone can communicate 24/7 through the air with a remote [command and control] site, bypassing all corporate security measures." 

Government officials are working to keep up with the threat. The National Institute for Standards and Technology is drafting guidelines aimed at mobile security, and the National Security Agency regularly updates protection profiles to reflect the latest security threats, objectives and requirements. 

The NIST guidelines "basically are an outline of the requirements that are needed for mobile devices and mobile [operating systems] to make them sufficient in protecting enterprise data – in other words, to enable BYOD," NSA’s Mike Boyle said Jan. 30 at the Cyber Innovation Forum in Baltimore. "If you take a look at the protection profiles that the NSA has produced recently for mobile devices, we've started to incorporate requirements for hardware-rooted security to protect devices. It’s the first step along the way – and only the first step." 

Last summer, the Homeland Security Department issued an internal memo outlining threats to mobile devices specifically via Android, quoting a 2012 statistic that 79 percent of malware threats to mobile operating systems were on the Android platform. The Alcatel-Lucent study estimated that 60 percent of infected devices are Android, and a December report from IT security firm Kaspersky said that 98 percent of malware found in 2013 was directed at the Android platform.  

"Android is the world's most widely used mobile operating system and continues to be a primary target for malware attacks due to its market share and open source architecture," the DHS memo said. "The growing use of mobile devices by federal, state and local authorities makes it more important than ever to keep mobile [operating systems] patched and up-to-date." 

The memo warned of Trojan viruses delivered via SMS text messages, rootkit malwares that evade detection and log users’ locations, keystrokes and passwords, and fake Google Play domains, which serve as storefronts for apps, that lure users into downloading malware. Viruses also can be spread from infected desktops and laptops if a mobile device is connected through the USB port. 

"The threat isn't just growing in volume. We're seeing increased complexity too," the Kaspersky report said.  

Once in a network, mobile malware also can record audio and video and take pictures, making it a prime tool for corporate or government espionage. 

But according to Tony Sager, director of the SANS Institute, mobile malware is a different breed than its traditional predecessor – in a way that benefits the government.

"The good news is that it's not moving at the pace that desktops were 10 years ago," Sager said. "So we have a chance to escalate and move more quickly to get on top of these things."