Professional Documents
Culture Documents
Mobile-Only Era
AhnLab V3 Mobile, a comprehensive mobile security solution
Issue 10
In 2015, mobile devices are
1 expected to make up 78.4
Changes in the Mobile Market percent of worldwide device
and Increase in Mobile Malware shipments. As the number of
mobile device users increases
3 and more personal and critical
AhnLab V3 Mobile and Robust data are saved to mobile devices,
Engine attackers have begun to target
them. Since 2013, there has been
4 a sharp rise in mobile malware,
What makes AhnLab V3 Mobile
and their attack techniques
Engine powerful?
and methods are becoming
increasingly sophisticated. In
6
From the Gartner Files: this regard, detecting mobile threats and protecting mobile devices have become the first
Protecting Mobile Devices priority for security vendors and mobile device users.
Against Malware and
Potentially Unwanted
In this report, you can find not only the latest mobile threat trend but also the reason
why AhnLab V3 Mobile is highly evaluated by global security research and certificate
19 institutions.
About AhnLab
Changes in the Mobile Market and Increase in Mobile Malware
We are now living in a Mobile-Only era. We have shifted beyond the age of
Mobile-First, where people reached for their mobile devices instead of their desktop
computers, to Mobile-Only, where our everyday life becomes increasingly tied to
mobile devices, including shopping, banking and even entertaining. According to
Gartner, the leading global IT research analysts, 77.68 percent of the devices shipped in
2014 were mobile devices (see Table 1).
Table 1. Worldwide Devices Shipments by Device Type, 2014-2017 (Millions of Units)
With this change, security threats short for SMS phishing, has evolved Given that South Korea boasts one
aimed at mobile devices are on in terms of social engineering and of the highest numbers of mobile
the rise, resulting in an increased malware type. SMiShing was first phone users as well as fastest average
number of mobile devices being used for micropayment scams, but internet connection speed, SMiShing
attacked by malware since 2014. recently, cyber criminals are using has the possibility to soon spread
Recently, a mobile ransomware called this technique to cause greater throughout the world. There has
SimpleLocker disguised itself as a financial damage by stealing financial also been a growth in fake banking
message from the FBI and caused information needed for online applications in accordance with the
considerable damage. banking. According to AhnLab rapid increase in mobile banking
Security Response Center, the number transactions in South Korea.
In South Korea, a mobile security
of SMiShing attacks has dramatically
threat called SMiShing became
increased since 2012 (see Fig. 1).
a serious social issue. SMiShing,
Source: AhnLab
AhnLab V3 Mobile and Robust South Korea; AhnLab Safe Message, participated in the tests and been
Engine an anti-SMiShing application; and verified for the 16 times (as of July
In order to protect the mobile AhnLab V3 Mobile Security, an 2015). Furthermore, 8 out of the 10
environment, AhnLab, Inc. provides Android-based mobile security tests from 2014 to July this year, V3
various mobile security products solution that supports malware Mobile engine scored a 100 percent
AhnLab V3 Mobile 2.0, AhnLab scanning and privacy protection. malware detection rate. Furthermore,
V3 Mobile Plus, AhnLab Safe in the latest test conducted in July
These mobile security solutions
Message and AhnLab V3 Mobile 2015, V3 Mobile scored 100 percent
employ AhnLab V3 Mobile
Security; AhnLab V3 Mobile 2.0, both in the protection test and new
engine to provide robust mobile
a mobile anti-virus application for real-time detection test. It also scored
protection. The V3 Mobile engine
the Android-based mobile devices; full marks in the usability test (impact
has received high scores in the
AhnLab V3 Mobile Plus, a mobile of battery life, slowdown of device
protection and performance tests
transaction security solution and traffic generation). It scored 13
of AV-Comparatives and AV-TEST.
that interoperates with financial out of 13 with additional scores from
Ever since AV-TEST started testing
applications and is adopted by more the Features section, and earned the
the mobile environment in 2013,
than 90 financial institutions in AV-Test certification.
AhnLab V3 Mobile engine has
Source: AhnLab (March 2015) A Smart Choice for a Mobile-Only Era Issue 10 3
What makes AhnLab V3 Mobile Engine powerful?
What is the secret to AhnLab V3 Mobile being highly evaluated by security researchers? As the largest security vendor in
South Korea with more than 20 years of knowhow, AhnLab has developed exclusive technologies in malware collection,
analysis, categorizing and response. AhnLab V3 Mobile has been designed with AhnLabs exceptional technology and has
Source: AhnLab
its own automated analysis program- AhnLabs products, programmed words, it shows the diagnosis result
based mobile response process crawler, 3rd party partners and and sample information by priority in
system. customer inquiries or reports. order to enable a proactive malware
AhnLab Malware Processing (AMP), response.
AhnLab presents AhnLab Malware
a web-based malware collecting
Response Process, which consists In this process, there exists special
system, automatically processes the
of AhnLabs malware response structures that reflect the knowhow
samples submitted by customers.
knowhow and automated analysis of AhnLabs analysts; CANNON
system. With this process, it takes Then, the collected samples are sent is a real-time sample processor that
less than 20 minutes to collect and to IRIS, a mobile heuristic analysis extracts sample information and values
analyze malware samples and update system developed by AhnLab for malicious/non-malicious diagnosis.
signature rules in the V3 Mobile Security Response Center. IRIS The malware analysts at AhnLab
engine [see Fig. 3]. collects and automatically analyzes create rules based on the Android files
the Android apps, extracts malicious extracted from CANNON and save
First, malware samples are collected
traits, categorizes into similar groups them to the DB. CHARKA is a real-
through various routes such as
and makes a final diagnosis. In other time network diagnosis engine that
Source: AhnLab
diagnoses ever-increasing SMiShing Since 2014, AhnLab built its own That is the reason why major
malware. When AhnLab Safe mobile malware response process smartphone manufacturers such
Message collects SMiShing samples, and automated the collection- as Samsung and LG have adopted
the server downloads the samples that categorizing-analysis-response AhnLab V3 Mobile 2.0 as a built-in
will be processed by CHARKA. system. The system provides a fast application in their mobile devices
response by processing 100,000 released in South Korea. AhnLab
The recently developed DEVIL (DEx
malware samples a day. AhnLab has continues its research in diagnosis
VIsuaLizer), is an analyzer that
also minimized false-positives by techniques and in conducting projects
visualizes a mobile apps life cycle
putting default apps and normal apps on automatic categorization to
and the correlation of malicious app
from Android Market in a Whitelist. maintain its number one position in
components. Malicious behaviors can
The diagnosis has been sped up the mobile security area.
be diagnosed by viewing the class the
using the caching and fingerprinting
components are in. Source: AhnLab
techniques.
Mobile malware numbers are Verify applications are installed worldwide. F-Secure reported
growing. New attack vectors from only from trusted sources. 275 new threat families in 1Q14
mobile devices pose an emerging alone on the Android platform.
Deliver training to drive user
risk to the enterprise. Organizations Kaspersky Lab reported that from
awareness of what permissions
with high security needs must have August 2013 through July 2014,
mobile applications are requesting
a strategy to defend against mobile over 1 million Android users were
to help reduce unwanted
malware and potentially unwanted attacked 3.4 million times. These
applications from being installed.
applications. numbers, compared with the total
number of devices and the PC threat
Comparison landscape, are relatively small.
Key Findings
The mobile attack landscape has Although we dont have evidence of
Mobile malware is leveraging
continued to grow and change with confirmed mobile malware attacks
new attack vectors that may pose
the increase of smartphone and on enterprises, the new types of
increased risk to the enterprise.
tablet sales year over year, and the attacks and vectors should create
iOS and Android devices do not proliferation of bring your own concern with high-security-minded
have to be jailbroken or rooted to device (BYOD) in the enterprise. organizations. Other organizations
be susceptible to attack. Every year, we see new statistics may not need to implement mobile
claiming hundreds of percentage malware solutions yet, but should
Android is currently the largest keep apprised of the threat landscape
growth in mobile malware, but what
target for mobile malware and and have compensating controls to
does that mean to the enterprise IT
unwanted applications, but iOS protect their enterprise resources.
staff? Is mobile malware a risk to the
malware and attacks have begun to
enterprise? And what are potentially
surface. Mobile OSs have been designed to
unwanted applications?
be more resilient against some of the
Some mobile anti-malware traditional attacks, so it becomes
Let us start by defining mobile
solutions only protect after the more difficult for the security
malware as a program or piece of
phone is infected, due to the lack of vendors to have signature-based
code that exploits a vulnerability
access to the kernel. solutions. There is no concept of
to impose a security risk to a users
Windows Phone is still not mobile device and/or information. kernel mode access for the security
targeted by malware authors or Categories of malware include solutions to fully protect against
mobile security solution providers, viruses, rootkits, worms, botnets, malicious attacks. This has driven
partially because of the lower spyware and trojans. Potential alternate methods for mobile security
market penetration. unwanted applications are programs solutions to try to secure the devices.
that have been installed on mobile Furthermore, not all methods of
devices, usually with the users protection are available for all of the
Recommendations
consent, but with unclear intentions different mobile OSs, because of their
E Evaluate the risks and new that can have negative consequences different approaches to architecture.
tactics being leveraged on mobile to privacy or to the performance of For example, Android allows for
devices by malware. the device. more access to configuration, policy
Look to mobile device security settings and other phone resources,
The most attacked mobile platform versus iOS and Windows Phone,
solutions with cloud-based in 2014 was the Android OS. This
application reputation services and which lend themselves to solutions
was due to its openness, multiple based upon behavioral or machine-
integration with current MDM/ versions, numerous app stores and
EMM solution. learning engines to monitor the
device numbers of over 1 billion
Mobile Attacks Anti- Anti-Malware Platform Mobile MDM/EMM Education Network- Safe
Malware Signatureless Protection App Based Browser
Signature Risk Protection
Mgmt
Mobile Malware D, R D, P D, P, R D R D P*
Kernel Level/ D P, R D, R D, P, R P*
Jailbreak/Root
HW/USB D, R P, R D, R
Unwanted Apps D, R D, P, R D, R D, P, R D, P D P*
Network-Based D, R D, P, R D, P*
Malicious Profile D, R R D, P D P*
iOS
changes on the device and determine Anti-malware signature-based and iOS. These are recommended
possible risk. One example was the solutions are currently only available when Android or jailbroken
Zeus-in-the-mobile malware that on Android due to the nature of iOS devices are using third-
targeted SMS notifications sent by the access to the OS, but in many cases, party application stores, and IT
banking industry for authentication they can only detect and remediate organizations want to understand the
codes. This malware was successful on the malware after it has been installed risk scores of installed applications.
Android because it was granted access and the signature has been updated Mobile device management/enterprise
to the SMS channel of the device, on the device. The anti-malware no- mobility management (MDM/
whereas iOS does not allow this type signature solutions are based upon EMM) solutions are available
of access by applications. behavioral, device or configuration on Android, iOS and Windows
analysis. They can be more effective Phone, and can be integrated with
Table 1 discusses which types of
than signature-based solutions and some of the anti-malware, mobile
solutions are effective in detecting,
are available on Android and iOS. application reputation solutions
preventing and remediating against the
These solutions have more access to or network-based solutions to
different categories of mobile attacks.
the Android OS due to the openness help with remediation activities.
For more details on the different of the OS, and have more possible Network-based solutions like secure
protection solutions, refer to the visibility into the health of the Web gateways (SWGs) or VPNs
Mobile Security Solution section. device and applications. They are are available on Android, iOS
less mature on iOS due to the lack and Windows Phone, and can be
Some of these solutions are not of access to the system, applications leveraged to secure network traffic on
available on all the platforms due and configurations. Android, iOS fully managed devices to prevent man
to the architecture of the mobile and Windows Phone have built-in in the middle (MITM) attacks. Safe
device, as discussed above. In Table OS platform protections, such as browser solutions are available on all
2, we compare the effectiveness of device encryption, address space three platforms, but only help prevent
the solutions to the mobile OS and layout randomization (ASLR), attacks if the malicious websites
recommended possible solutions to data execution prevention (DEP) have been identified in advance in
prevent the mobile attacks listed in and secure boot, just to name a the Internet Protocol (IP) reputation
Table 1. few. Mobile application reputation portion of the solution.
solutions are available on Android
Analysis and therefore do not have visibility mobile devices include SMS sending,
There is a misconception that into what is being installed until after file or app downloading, location
malware is the same on mobile the fact. This is why vendors are tracking, banking fraud, data theft,
devices as in the traditional desktop looking to alternative ways to protect and fee charging, just to name a few.
world. The problem with this mobile devices. Many vendors have Most mobile malware attacks on
statement is that mobile architecture built application reputation services individuals are motivated by profit.
is built to prevent some of the that can be integrated with MDM The mobile security vendors have
attacks that succeed on the desktop. or EMM solutions to help the seen possible trends of attackers
Many of the new mobile operating enterprise manage the applications that are looking to steal personal
systems do not allow access to the installed on the mobile devices. The information for a possible spear-
kernel; they have application-level IT organizations can then set policies phishing attempts. Once infected, the
containerization, secure boot for and actions to take based upon the mobile device could also be leveraged
the system, secure browsers without risk level of the applications. The as a new attack vector to infiltrate the
add-ons and other security features other options for detecting malicious enterprise PCs and networks.
that prevent the common desktop actions are to monitor the network
malware from being effective. Apple, stack, or to force all traffic through New and Expanded Attack
a VPN or secure Web gateway. Vectors
Google and Microsoft have built-in
security features to reduce the attack This allows the security solution to In the recent mobile threat reports
footprint of the mobile device. For gain an understanding of where the from F-Secure, Kaspersky and Cisco,
a deeper dive into the latest security applications are connecting to, and there have been increases across the
features, reference the Gartner then leveraging an IP reputation board for Android and iOS mobile
research on Mobile Device Security: service to compare against known threats. The latest generation of
A Comparison of Platforms. malicious sites. attacks has begun to implement new
attack vectors that IT organizations
In many cases, traditional anti- According to mobile malware
need to be aware of to defend the
malware agents installed on mobile security reports from 2014, the
enterprise. Figure 1 shows a few of
devices cannot prevent malicious majority of malicious attacks are
the most prevalent sources and paths
software from being installed because based upon the trojan category. Some
for mobile malware to attempt to
they do not have access to the kernel, examples of trojan behavior on the
gain access to the enterprise.
Internet SMS/MMS
Enterprise
Cloud Storage
Corp
Malware Storage
Source
Unwanted
Application Source
Malware
Source
One of the main sources for to install mobile applications, well. Email, SMS and Multimedia
todays attacks are the nonstandard profiles or certificates on the users Messaging Service (MMS) are
application stores. These are device. Once an iOS user installs a other attack vectors that can
third-party, private or hacker-run malicious profile with an attached have embedded links to malicious
application stores, potentially root certificate, the device can be then applications. Once infected with
filled with malicious or unwanted controlled, and all traffic (encrypted malicious code, the next step is not
applications. Android allows or unencrypted) can be sniffed by always targeting the mobile device,
applications to be installed from the malicious author. Unsecured but possibly targeting the users other
multiple application stores, while iOS public Wi-Fi networks or stingray devices through USB connections, or
devices must be jailbroken to leverage (cell tower masquerading) tactics can over the carrier network or Wi-Fi to
third-party stores. One common also pose a network-based threat for cloud storage or corporate resources.
practice for the malicious actors is to MITM-style attacks. These attacks For example, there were Android
get popular applications, repackage allow for unencrypted IP traffic games that would create an infected
them with malicious code and submit for the Wi-Fi and voice traffic for PDF, HTML or other file type, and
them to third-party app stores. the stingray device to be sniffed. then sync it up to a cloud file store.
Sometimes they can be combined Then when the user opened the file
Another source of malware comes
with other forms of malware that on a Mac or PC, it had code targeting
from malicious websites that try
allow for decryption of traffic as the desktop OS.
Source: F-Secure
This problem does not only pertain In the Mobile Threat Report from Even though the Google Play
to Android. There are third-party F-Secure for 1Q14, 275 new threat and Apple Store have built highly
application stores for iOS as well. families were discovered for Android, functional mobile application
Cydia is the most popular alternative which made up 91% of all the curation, potentially unwanted
to Apples App Store. It requires discovered malware. Google has applications still exist in each
the device to be jailbroken for done a good job on monitoring the store. The 2014 Appthority App
the applications to be installable. security of their Play Store, but some Reputation Report revealed that
Cydia offers applications that Apple of the third-party stores such 78% of the top Android paid apps
has rejected for violating their as the ones in Asia and the Middle and 87% of the top iOS paid apps
curation processes or competing East (Mumayi, AnZhi, Baidu) that had at least one of the top 10 risky
with their applications, as well as repackage applications do not behaviors detected. This shows that
applications that allow for additional have the same stringent security even though Apple and Google are
configurations that Apple has blocked practices. Figure 2, from F-Secure,1 removing malicious applications
to mainstream users. This practice is shows that less than 0.1% of the from their application stores, mobile
more common in Asia, as it allows samples received from the Google developers are still able to create
users there to operate their devices Play Store were infected, versus up to applications that mine personal and
more effectively. 8% of samples from stores like Baidu possibly corporate data, and have
and even 33% from the small, private them published in the main stores.
Android159 store.
Internet SMS/MMS
Antivirus Anti-
virus
A Smart Choice for a Mobile-Only Era is published by AhnLab. Editorial content supplied by AhnLab is independent of Gartner analysis. All Gartner research is used with Gartners permission,
and was originally published as part of Gartners syndicated research service available to all entitled Gartner clients. 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner
research in this publication does not indicate Gartners endorsement of AhnLabs products and/or strategies. Reproduction or distribution of this publication in any form without Gartners prior written
permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice
or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in
Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence
from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website,
http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.