A few years ago asking a security expert about the risk of mobile malware would draw a mixed response, ask that question today and there is a consensus that mobile malware is a distinct and evolving problem that is difficult to prevent with mobile app security testing. Malware’s success on traditional platforms has helped it move to mobile. Here’s a quick look at mobile malware and how it differs in attacks on mobile.
Compare early malware such as Timofonica, an internet to SMS virus, to Ghost Push, Android malware discovered from 2015 that controls Android device privileges. Impossible to remove without flashing the firmware, It installs other malicious software programs onto the device, sends push ads and drains battery life.
Apple malware XcodeGhost modifies Xcode, stealing user device information, opening specific URLs on an infected app, reading and writing from the clipboard, and infecting other apps. It is also possible to control it remotely. A developer using XcodeGhost unwittingly causes security issues for all their users.
Mobile apps pose major malware threat
Mobile malware is different finds it way on to our devices via unsafe app installation e.g. sideloading – where Android users install apps from sources other than the Play Store. Third parties such as Mobogenie, Amazon, Appbrain, etc. offer applications that may not be available to users on the Play Store. Another option is to look for app binary files which may open doors for malicious software and compromise your mobile devices. Avoiding these sources is not the answer, with malware such as AceDeceiver, that was spread in early 2016 by apps downloaded from the AppStore.
Enterprises need to invest in mobile app security testing and security awareness training of its employees to follow best practices. This includes mandating the installation of apps from official app stores only, such as Google’s Play Store and Apple’s AppStore. However, not all apps require the same level of mobile app security testing and organizations need to identify the ones that require additional security.
Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing in under a minute try out Codified Security.