8 mobile security threats you should take seriously in 2020

Mobile malware? Some mobile security threats are more pressing. Every enterprise should have its eye on these eight issues.

1 2 Page 2
Page 2 of 2

For now, there's no great answer — aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform's official storefront, where the potential for cryptojacking code is markedly reduced — and realistically, there's no indication that most companies are under any significant or immediate threat, particularly given the preventative measures being taken across the industry. Still, given the fluctuating activity and rising interest in this area over the past months, it's something well worth being aware of and keeping an eye on as 2019 progresses.

6. Poor password hygiene

You'd think we'd be past this point by now, but somehow, users still aren't securing their accounts properly — and when they're carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic.

A recent survey by Google and Harris Poll found just over half of Americans, based on the survey's sample, reuse passwords across multiple accounts. Equally concerning, nearly a third aren't using 2FA (or don't know if they're using it — which might be a little worse). Only a quarter of people are actively using a password manager, which suggests the vast majority of folks probably don't have particularly strong passwords in most places, since they're presumably generating and remembering them on their own.

Things only get worse from there: According to a 2018 LastPass analysis, a full half of professionals use the same passwords for both work and personal accounts. And if that isn't enough, an average employee shares about six passwords with a co-worker over the course of his or her employment, the analysis found.

Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80 percent of hacking-related breaches in businesses. From a mobile device in particular — where workers want to sign in quickly to various apps, sites, and services — think about the risk to your organization's data if even just one person is sloppily typing in the same password they use for a company account into a prompt on a random retail site, chat app, or message forum. Now combine that risk with the aforementioned risk of Wi-Fi interference, multiple it by the total number of employees in your workplace, and think about the layers of likely exposure points that are rapidly adding up.

Perhaps most vexing of all, most people seem completely oblivious to their oversights in this area. In the Google and Harris Poll survey, 69 percent of respondents gave themselves an "A" or "B" at effectively protecting their online accounts, despite subsequent answers that indicated otherwise. Clearly, you can't trust a user's own assessment of the matter.

7. Physical device breaches

Last but not least is something that seems especially silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn't have a strong PIN or password and full data encryption.

Consider the following: In a 2016 Ponemon study, 35% of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN, or biometric security guarding their devices — and about two-thirds said they didn't use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.

Things don't seem to be getting any better. In its 2019 mobile threat landscape analysis, Wandera found that 43% of companies had at least one smartphone in their roster without any lock screen security. And among users who did set up passwords or PINs on their devices, the firm reports, many opted to use the bare-minimum four-character code when given the opportunity.

The take-home message is simple: Leaving the responsibility in users' hands isn't enough. Don't make assumptions; make policies. You'll thank yourself later.

8. Mobile ad fraud

Mobile advertising generates a lot of revenue—about $57.9 billion in the first half of 2019 alone according to an Interactive Advertising Bureau (IAB) report. Cyber criminals follow the money, so it’s no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023.

Ad fraud can take several forms, but the most common is using malware to generate clicks on ads that appear to be coming from a legitimate user using a legitimate app or website. For example, a user might download an app that offers a legitimate service, such as a weather forecast or messaging. In the background, however, that app generates fraudulent clicks on legitimate ads that appear on the app. Publishers are typically paid by the number of ad clicks they generate, so mobile ad fraud steals from companies’ advertising budgets and can deprive publishers of revenue.

The biggest victims are mobile advertisers and ad-supported publishers, but ad fraud does harm to mobile users, too.  As with cryptojacking, ad fraud malware runs in the background and can slow a smartphone’s performance, drain its battery, incur higher data charges, or cause overheating. Based on its own tracking data, security vendor Upstream estimates that smartphone users lose millions of dollars each year due to higher data charges from mobile ad malware.

Android is by far the most popular platform for mobile ad fraud. According to Upstream, these some of the most popular Android malicious apps to avoid:

  • Snaptube
  • GPS Speedometer
  • Free Messages, Video, Chat, Text for Messenger Plus
  • Easy Scanner
  • Weather Forecast
  • Super Calculator
  • Who Unfriended Me
  • VidMate
  • Quicktouch

The Upstream report recommends that users:

  • Regularly check their apps and delete any that look suspicious.
  • Monitor data usage for unusual spikes.
  • Install apps only from Google Play.
  • Check an app’s reviews, developer details, and list of requested permissions before installing to make sure they all apply to the app’s stated purpose.

Copyright © 2020 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
What is security's role in digital transformation?