In the face of the mobile malware explosion, many smartphone users and businesses are turning to mobile antivirus applications. But do those tools really offer enough protection -- and what additional mobile security steps should be taken?
Smartphones, tablets and other mobile devices are becoming more popular among both consumers and professional users. And as demand increases, more companies are starting BYOD (bring your own device) programs to allow users to bring their personal gadgets into work.
While BYOD has many benefits, smartphones' rise in popularity has at least one negative side effect: More hackers are turning their attention to those devices. These people are developing malware to steal data from phones or seeking out back doors to corporate networks.
The amount of mobile malware out there has exploded over the past few months, according to security experts. For example, security vendor Trend Micro discovered 175,000 mobile viruses targeting Android devices. That's compared to 30,000 that were discovered in June -- an increase of nearly 600%.
One tool businesses and consumers are using to protect their devices and data: mobile antivirus software. But should anti-virus apps be trusted as the primary line of defense against mobile security threats?
Mobile antivirus quality varies
Studies on the effectiveness of mobile antivirus software have been a decidedly mixed bag. In one study, PC Security Labs tested 15 different mobile security apps to see how well they blocked a set of known mobile viruses.
Many of the apps fared well in the test, including software from Kaspersky, Bitdefender and Trend Micro, which each detected more than 99% of the malicious software samples. On the flip side, the lowest rated app, LBE Security Master, detected just 50% of the viruses.
Another study from research institute AV-Test found that several apps could detect 90% or more malware samples, but that the majority blocked 65% or fewer viruses.
While those tests show some mobile antivirus apps can be effective at what they're designed to do, it's important to note that the tests relied on known examples of malware -- blocking the new viruses that are constantly appearing is a different bag altogether.
One problem with mobile antivirus programs is that many rely solely on signature-based malware detection, which only blocks specific, known pieces of malware. In contrast, the most effective desktop antivirus programs have turned to behavior-based detection to protect against new viruses that don't yet have signatures. Unfortunately, smartphones aren't designed to allow for that kind of malware protection, because the antivirus software would need root access privileges.
Making things even more complex, a lot of mobile applications also blur the line between malware and legitimate software. The Google Pay app store, for example, is littered with what security experts call "aggressive adware" -- apps that may serve a legitimate purpose, but also collect a lot of the users' personal information, often without notifying the user.
Additional steps to protect mobile security
Making sure that mobile antivirus software is loaded onto phones issued to users or brought in by employees as part of a BYOD (bring your own device) program is not only integral, but should be considered as an important piece of the company's security plan. However, it's clear that IT departments must take additional steps to protect their networks from mobile malware.
Here's what IT departments can do to help protect mobile security in their organizations:
- Warn users not to install apps from third parties, and consider disabling phones' abilities to install apps that aren't from the platform's official app store.
- Train users to read user reviews and check the app's permissions before they install software from an app store. If there a lot of negative reviews, that's a bad sign, as are permissions that seem out of line with the app's purpose. For example, if an alarm clock app is configured to access your contact lists, it's probably best to avoid installing it.
- Tell users to do an online search for the app's developer if they're suspicious. If the developer is releasing malware or aggressive adware, users will likely find some complaints on the web.
- Consider creating an enterprise app store so the company can exert more control over the software users install on the phones they use for work.
- Invest in mobile device management (MDM) software, which allows IT to monitor how mobile devices are being used and enforce security settings and other configurations.