Why people are taking mobile security less seriously and what it might take to change their minds.
CBR: Are people taking mobile security seriously enough?
DE: Six years ago people were using [mobiles] to make calls and text. All the cool stuff like Facebook, Instagram, Snapchat, Twitter, has been added organically. I think psychologically people still think of it as a phone, not a computer.
Also on the desktop and laptop, we went through this whole thing in the 90s of the problem getting bigger to the point where there were massive outbreaks or epidemics that impacted themselves on the psyche. People would read about them and think about the impact they could have.
There’s not been anything similar, so in a way, mobile developers have skipped all of those stages and gone straight to the cybercrime stage where they silently steal stuff. So there’s no give-away to make it obvious. Therefore I think businesses get it, but I don’t think individuals do, so I suspect there are an awful lot of unprotected devices.
It’ll be interesting to see what changes that. It might be that there is some huge ransomware epidemic and people feel it through the back of that. It might be headlines about a big company being hacked because somebody left a mobile in a taxi. Something like that will drive it home.
CBR: Do you think the scope for damage is as high for mobile?
DE: I think it is. Let’s say I have a simple PIN or no PIN at all and I leave it here. Somebody could get access to corporate mail, access to any documents on the phone and a Twitter account, all behind that PIN, which you can’t do on a laptop. It gives somebody quite a bit of capability for gathering information and maybe even being able to access a corporate network. If you’re in the vicinity of the building, the wi-fi key is already saved on it.
The other thing is if you connect to a public wi-fi network. While I’m behind the firewall in the office, out and about I’m not. Therefore, there’s an increased danger of leakage or information-gathering, and again, I don’t think people think about it. We’re beginning to see targeted attacks, which include leaking data through mobile devices.
The one thing I think is lacking in the public psyche is probably money. If you do your online banking with a laptop and click on a phishing email and someone gets your banking details or they’re able to capture your password, although there’s been a growing amount of banking malware on mobiles, so far 90 percent of it is based in Russia. It’s only beginning to break out of that now. We’ve seen with other types of malware, they incubate in Russia and start to move southwards and westwards. So SMS Trojans did that and some of the spyware did that.
So we think it’s likely that banking malware will do the same. That’s phishing apps that pretend to be my bank but aren’t, it’s malicious apps that are able to access my email, or malicious apps that are able to access my bank account and transfer funds. I think that will happen over here as well, and as people start to lose real money, they’ll begin to see this. Right now, maybe a company’s at risk, but the individual isn’t.
Even if I move money around, maybe I’m not doing it through a website as you would on a laptop, you’re doing it on a dedicated app. Banks have been through the history of banking on laptops and desktops and learn some lessons and factor that in. In fairness, banks talk to people like us about securing apps like this. I’d say right now, banking on a mobile is more secure than on a laptop. This isn’t necessarily by design of the device, but just because at the moment there isn’t that much banking malware facing Europe. It will happen I think.
CBR: Why does the majority of malware target Android?
DE: There’s a massive difference between Android and iOS. The overwhelming majority of malware we see is on Android. I think that’s because there’s so much flexibility at different levels of Android. Samsung or Vodafone, for example, can customise the operating system. App developers are free to develop apps left right and centre. We’re not restricted to Google Play.
If you look at iOS, it is what it is. I can get it from Carphone Warehouse or Vodafone or straight from Apple. If I want applications I have to go to the app store. It’s like operating Wembley Arena with one door in and out. The stuff you see on iOS tends to be on jailbroken devices.