"Designed to perform more like computers, it is becoming easier for hackers to develop malware for them. According to data from a global leader in IT security, mobile malware samples grew by 112%, with 'malvertising' being a major source. Users are also inadvertently infecting their devices by downloading applications and games from unsafe mobile application marketplaces," says Broeke.
'Malvertising' infections usually happen as a result of a user clicking on an advert while browsing the net on their phones. The advert may be in the form of a pop-up or alert warning that the device is already infected and needs "fixing" with the advertised software. These social engineering methods effectively trick people into installing malware themselves.
Malware can also be installed onto a device in what security experts refer to as "drive-by downloads". This is when the device becomes infected as a result of the user simply loading the web page. Unfortunately, most users don't even realise when it's happening.
Once on the device, the malicious link often leads to a browser exploit kit, which exploits flaws in browser plugins as well as the browsers themselves. Just about any type of malware can be delivered via a browser exploit kit, from banking Trojans to ransomware to spyware.
Broeke says that while the risk of mobile malware infection is still relatively low when compared to malware infections on PCs and laptops, the danger is very real once a device is infected.
Some pieces of malware are there to spy on users to gather information such as phone logs, user location and smses, while other pieces of code will install annoying adverts in the device's photo albums and calendar, and sometimes even push messages to the device's notification bar.
Banking Trojans monitor devices for banking transactions, gathering sensitive details like passwords and account numbers. Then there is malware which causes a device to send out SMSes to premium-rate numbers. These costs are then charged to the user's account. There are also pieces of malware which are designed to infect a computer when an infected mobile device is plugged-in.
"Users must use common sense and avoid clicking on links in emails and be careful about the files they download. Applications should only by downloaded via reputable app stores. Increasing user awareness around the threat of mobile malware is also companies' interests, given that employees are using mobile devices to do their work.
"Monitoring mobile device traffic with an effective mobile device management solution can also help stop the spread of malware that gets past traditional preventative controls," advises Broeke.
He says companies should implement a well-constructed security policy around the use of mobile devices for business-related purposes and enforce it with a mobile device management (MDM) solution.
"The fact is that mobile devices open-up corporate networks and resources to a range of threats. Companies must formally-define the parameters around the usage of mobile devices for work. The policy should detail the security requirements for each type of mobile device that is used in the workplace and connected to the corporate network. This could include the way that passwords are configured, prohibit specific types of applications from being installed on the device, and the encryption of data stored on devices.
"Enforcing a security policy also allows companies to limit the activities that employees are allowed to perform on devices at work and enforce periodic IT audits to ensure devices meet minimum security requirements."
