Is mobile anti-virus even necessary?

It’s no secret, or at least not anymore: people generally do not use any sort of anti-virus or malware protection on their mobile device. Recent IDC research has indicated that only 5 percent of all smartphones and tablets have some sort of security tools installed on them, raising the question of whether or not that kind of software is even necessary.

[Slideshow: 20 security and privacy apps for Androids and iPhones]

While it’s true that this statistic included both enterprise and consumer audiences, they are often one in the same. According to Dionisio Zumerle, a principal research analyst at Gartner, BYOD adoption can range anywhere from 15 percent to upwards of 50 percent within a company depending on various factors like security requirements, form factor, industry, and risk appetite.

There’s no question that a significant chunk of these devices that are free of any sort of anti-virus protection are being used in enterprise scenarios. The first question, then, is why that’s the case.

Determining threat levels

In terms of a threat presence, there’s no shortage of mobile malware floating around out there, at least according to anti-virus vendors. McAfee numbers, for example, indicate that 377,000 unique pieces of mobile malware were blocked in the month of July this year. But whether or not this kind of commercial software is even the right approach is a point of contention.

“Antivirus is not the right answer to malware,” said Zumerle. “It’s more of a reaction than a solution.”

He went on to acknowledge that cases of malware pop up occasionally for consumers (particularly in scenarios involving financial transactions or repackaging attacks), like a couple of high profile Trojans in 2012 called Operation High Roller and Eurograbber, which resulted in $16 million and 36 million Euros being stolen, respectively. But generally that kind of malware really isn’t a concern for enterprise users right now. In fact, as it stands now, anti-virus could hurt more than it can help.

“You shouldn’t include [antivirus software] just because you can, said Zumerle. “Software that is continuously scanning or patching will drain the battery. And besides, this malware is very quick in evolving and changing, and a lot of this antivirus software is signature based. If you have new viruses, what are you going to do? At a certain point you won’t be able to catch up and it will essentially be ineffective.”

Tyler Shields, a senior analyst at Forrester Research, shared similar sentiments, though he also maintained that many users aren’t using antivirus simply because theres no incentive. In fact, Forrester numbers from Q2 2012 Forrsights Security Survey indicated that only 28 percent of 692 firms surveyed were “very concerned” about mobile security issues.

“It’s like living in a nice community with high walls, so you don’t have to lock your door. That’s fine until you get robbed,” said Shields. “Until there’s a huge [virus] that hits and makes it into the media, people just won’t do it. They aren’t incentivized to do it.”

As for fighting off any future threats, Shields also agreed that the traditional style of largely signature-based software will be completely ineffective at stopping unknown viruses. It can stop known ones, he said, but it doesn’t stop the original outbreak. Software developers have to work anomaly behavioral-based detection into their engines, and only then will they have a chance of staying ahead of the mobile players.

“We have to start looking at the game differently and stop with the arms race approach,” he said.

But the vendors say this is already the case. Mike Fey, McAfee’s Worldwide Chief Technology Officer, insists that his company’s software works off of both signatures and anomalous behavior. “You have to try to build into your scheme as much as possible,” he said. “We use signatures to ensure speed. If you know something is inherently bad, you might as well block it.”

Fey did add, however, that there will continue to be changes to McAfee’s approach further down the road, even if the threat remains the same. Its software may be scrubbing apps as they download, he said, it may make sure that they’re actually from the right store. But the attackers’ motives and capabilities wont change simply because of a device format change.

“In terms of how the software works, it’s not always going to be handled the same way,” he said. “Our protection schemes will change.”

Which smartphone is the most secure?]

Mark Birmingham and Greg Sabey, director of product marketing and senior technology PR manager for Kaspersky, agreed that antivirus companies can no longer get away with just signature-based detection. Rather, they need to make their protection as close to real-time as possible. “Signatures are reactive,” said Birmingham. “We need to have proactive technologies or it’s not enough. They talk about having zero day threats…we’re closing in on zero minute.”

Is the storm here, or merely on the horizon?

Everyone, whether they’re a vendor or part of a security firm, appears to be on the same page regarding the necessity of proactive protection. Where the narratives tend to clash, however, is over whether or not there is an immediate threat.

“Malware comes later on in the pantheon of risks,” said Zumerle, who explained that if users follow certain measures like MDM, jailbreak protection, and not accessing third party app stores, they can greatly reduce the risk of malware for the time being. Losing your device and not having data protection, a complex or long password, or the ability to remotely wipe the device, he said, is a greater concern.

“Forward looking, there’s no doubt that mobile devices will eventually account for a significant part of enterprise breaches,” added Zumerle. “But if we’re looking at it right now, the numbers are not there yet. And part of that is because we’re still shifting from workstations to mobile devices, and that takes time.”

But the numbers are there, according to Birmingham and Sabey, who pointed to statistics that Kaspersky analysts had pulled together that said over 100,000 samples of mobile malware had been added to the company’s library as of June 30 of this year (the majority of which were backdoor, Trojan, and Trojan SMS viruses). Likewise, McAfee’s Q2 2013 threat report indicated that by halfway through this year, the company had already collected about as many malware threats as it did in all of 2012, adding more than 17,000 samples to its database in Q2 alone.

“There’s that hockey stick growth in malware in general, and an even steeper pitch in mobile malware,” said Birmingham. “It’s the easiest target. I dont think people in general understand that smartphones are nothing more than small, really smart computers. They’re great targets for malware.”

More specifically, Birmingham said the biggest growth rate for mobile malware is on the Android platform. The open nature of Google’s operating system makes it easy for anybody to develop for it, including malware developers; according to Kaspersky research, in 2012, 99 percent of total mobile malware detections were targeting Android. McAfee’s research indicated that this statistic was also true as recently as Q2 of this year.

Mobile device security: 5 questions to ask when creating policy (includes video)]

“We’ve seen plenty of malicious apps making it into the Google Play store and only after the fact is Google realizing what it is,” said Sabey. “Thats the real telltale sign that there’s a problem: that you can go into this supposedly legitimate place and still get infected.”

While Apple has a more thorough vetting process for its applications, iOS is not invulnerable either. Fewer mobile security agents are available on iOS – likely a contributor to the low numbers discovered by the IDC survey – and the very process that makes the platform safe results in a slow response time in terms of approving and rolling out patches. Either way, said Birmingham, users need to be safer.

“These devices are computers and I would ask people if they would operate their computers at home without an anti-virus solution,” said Birmingham.

He went on to point out that malware has gone from nuisance-based to malware for profit, and that attackers are going to go where it’s easiest to go. The industry is partially to blame, which Birmingham says hasn’t drawn enough attention to the fact that mobile devices require protection.

Sabey added, “The value of the data on the device is much more valuable than the device itself. And these malware developers are reading the same stats you are. They see that nobodys protected on their mobile devices and say, ‘Okay, let’s go after that.'”

But even the vendors don’t appear to be in agreement over whether the threat is here, or simply on its way. Fey admitted that while there is plenty of mobile malware in existence, there has yet to be a significant, large-scale attack. It’s coming though, he said, because the growth of mobile malware is exponential; it’s just a matter of when.

“Our data shows that every month, [cases of mobile malware] are higher and higher. It’s escalating faster than it did in the PC world,” said Fey. “It’s coming our way. The timing is up for the debate, the inevitability is not.”

Shields was more or less on the same page, saying that a storm is definitely brewing, but it has yet to arrive because right now most businesses are in a state of flux in terms of making the shift to mobile. “Once the mobile population takes over the PC population, they’ll shift,” said Shields of attackers’ targets. He admitted that he’s been bracing himself for a high-profile infection to break onto the scene, though it has yet to come.

“I wrote the first piece of BlackBerry spyware in 2010 [for white hat reasons] and I’ve been saying it’s coming and it still hasn’t come. But the stars are beginning to align.” If you look at the trends across the board, he said – including the increasing percentage of BYOD users and those with multiple devices, as well as the gradually decreasing number of people who travel with laptops – it’s telling.

“It’s an eventual convergence, Shields continued. “I can’t say when a major attack is going to strike, but if I had to guess, I’d say somewhere in the next three years.”

But he, like Zumerle, maintained that malware isn’t as much of a concern right at this moment. “What’s holding [malware programmers] off is that it’s still so easy to do it on the PC side, so why bother? Right now there’s no need for them to move into the mobile space. [PCs are] the path of least resistance. But they’ll have something to move to eventually.”

He went on to add that if anything, attackers are likely to start with targeted attacks first after the majority of users make the shift to mobile.

“What you will you see before the massive quantity attacks are the targeted attacks. Advanced persistent threats will happen first as they target specific peoples’ phones.” This is, of course, so the attackers can test the waters while also ensuring that they pinpoint high-profile, person-of-interest type targets where money stands to be made off of the attacks.

“Once the attackers are comfortable, they’ll move over to mass attacks,” he said.

Fey was in accordance, saying that in the case of targeted attacks, attackers can exploit any platform they choose, but a large-scale attack is another story. “When you look at things en masse…we just haven’t seen these mass shifts to mobile yet,” he said. “But you’re seeing the concern from companies like Samsung to make sure that their devices are more secure than everyone else’s.”

Malware fighting alternatives

Those who are concerned about mobile malware, said Zumerle, should be less focused on anti-virus software and more focused on countering it at the source. “Have an enterprise app store for your users, or use tools like secure web gateway,” he said. “Clean the networks or the app store or both. These are much more efficient solutions and are aligned to the model that you get from the mobile device ecosystem in general.”

Zumerle also suggested that IT not allow users to jailbreak or root their phones. “If you break the sandboxing mechanism, there are a whole lot of other vulnerabilities,” he said. “Don’t allow privilege escalation. You can do this with an MDM suite with jailbreak detection.”

Essentially, the idea is that IT should ensure that security controls on a device are enabled before they’re even connected into a company’s environment. This, of course, includes encryption, secure passwords, and the original version of the OS. “You want to set a bar of entry,” said Fey. “You can get additional security with mobile security solutions, but at a bare minimum, you want to confirm a viable configuration before you let a connection back to your servers.”

But some say that MDM, at least some aspects of it, isn’t a perfect solution either. It can aid in detecting viruses, Shields said, such as noticing if a phone has been rooted. As a form of secondary detection MDM is serviceable, but it can’t generally be considered a security solution in the traditional sense.

“MDM in the traditional sense won’t stop anything,” added Shields.

Shields did agree, however, that controlling the software that ends up on the device is key. Envisioning security as a stack – with the network carrier at the bottom, then the hardware, then the OS, and finally the applications ndash; Shields says that none of these aspects can be controlled or secured by enterprise security teams except the applications/data itself. “So to prevent infection, you need to limit the applications put on the device to the only the ones that have been properly vetted for security and privacy.”

Perhaps the most the important step in preventing infection is awareness and changing the mentality of both users and security teams. When it comes to mobile security, said Zumerle, the way it’s approached needs to be a radical change from the way workstations have been secured in the past.

“You need to protect data in different ways. You need to focus on apps,” he said.

This is why, said Zumerle, MDM focus has generally been shifting toward apps. Encryption, passwords, etc. are good, but those considering allowing BYOD or generally wanting their workforce to be more flexible need to containerize important apps.

Birmingham added that while Kaspersky can containerize and wall off corporate data on phones, there are other important security measures to take. “Another thing you’re going to want to do is to wipe just the corporate side remotely if the phone is lost,” he said. “You also want to make sure the data container is encrypted, that way that data is ambiguous if you can’t wipe it in time.”

So with these other options, does this mean that anti-virus software isn’t necessary? When asked directly if his company’s software was essential to enterprise users right now, Fey was adamant in his response, suggesting that even if there isn’t an immediate threat of a widespread attack, the types of existing threats are no less dangerous.

“Without a doubt, yes [it’s necessary]. We have seen actual attacks, and these are safe guards that will help protect users from hundreds of thousands of different types of attacks,” he said.

“As we look at mobile security in the future, it will be measured in damages, not the damaged.”