A Smart Choice for a
Mobile-Only Era
Issue 10
1 expected to make up 78.4
Changes in the Mobile Market
and Increase in Mobile Malware
3 and more personal and critical
AhnLab V3 Mobile and Robust
Engine
4 a sharp rise in mobile malware,
What makes AhnLab V3 Mobile
Engine powerful?
6
From the Gartner Files:
Protecting Mobile Devices
Against Malware and
Potentially Unwanted
19
About AhnLab
AhnLab V3 Mobile, a comprehensive mobile security solution
In 2015, mobile devices are
percent of worldwide device
shipments. As the number of
mobile device users increases
data are saved to mobile devices,
attackers have begun to target
them. Since 2013, there has been
and their attack techniques
and methods are becoming
increasingly sophisticated. In
this regard, detecting mobile threats and protecting mobile devices have become the first
priority for security vendors and mobile device users.
In this report, you can find not only the latest mobile threat trend but also the reason
why AhnLab V3 Mobile is highly evaluated by global security research and certificate
institutions.
Changes in the Mobile Market and Increase in Mobile Malware
We are now living in a Mobile-Only era. We have shifted beyond the age of
Mobile-First, where people reached for their mobile devices instead of their desktop
computers, to Mobile-Only, where our everyday life becomes increasingly tied to
mobile devices, including shopping, banking and even entertaining. According to
Gartner, the leading global IT research analysts, 77.68 percent of the devices shipped in
2014 were mobile devices (see Table 1).
 Table 1. Worldwide Devices Shipments by Device Type, 2014-2017 (Millions of Units)

Device Type 2014 2015 2016 2017

Traditional PCs (Desk-Based and Notebook) 277 251 243 233
Ultramobiles (Premium) 37 49 68 89
PC Market 314 300 311 322
Ultramobiles (Tablets and Clamshells) 226 214 228 244
Computing Devices Market 540 514 539 566
Mobile Phones 1,879 1,940 2,007 2,062
Total Devices Market 2,419 2,454 2,546 2,628
Note: The Ultramobile (Premium) category includes devices such as Microsofts Windows 8 Intel x86 products and Apples MacBook Air.
The Ultramobile (Tablets and Clamshells) category includes devices such as, iPad, iPad mini, Samsung Galaxy Tab S 10.5, Nexus 7 and Acer Iconia Tab 8.
Ultramobiles All Ultramobile Basic and Utility Devices.
Source: Gartner (July 2015)

With this change, security threats
aimed at mobile devices are on
the rise, resulting in an increased
number of mobile devices being
attacked by malware since 2014.
Recently, a mobile ransomware called
SimpleLocker disguised itself as a
message from the FBI and caused
considerable damage.
In South Korea, a mobile security
threat called SMiShing became
a serious social issue. SMiShing,
short for SMS phishing, has evolved
in terms of social engineering and
malware type. SMiShing was first
used for micropayment scams, but
recently, cyber criminals are using
this technique to cause greater
financial damage by stealing financial
information needed for online
banking. According to AhnLab
Security Response Center, the number
of SMiShing attacks has dramatically
increased since 2012 (see Fig. 1).
Given that South Korea boasts one
of the highest numbers of mobile
phone users as well as fastest average
internet connection speed, SMiShing
has the possibility to soon spread
throughout the world. There has
also been a growth in fake banking
applications in accordance with the
rapid increase in mobile banking
transactions in South Korea.

Figure 1 Mobile Malware Statics and Trends

Source: AhnLab (March 2015)

2 A Smart Choice for a Mobile-Only Era Issue 10

Not only have these recent SMiShing, repackaging and fake applications been continuously increasing, but memory
fabrication and hackings caused by rooting and jail-breaking have been as well.

Table 2. Mobile Threats and Attack Techniques

Mobile Threats Description

Rooting (Android) Obtaining administrative system root or superuser types of privileged access for mobile devices
Jail-Breaking (iOS) Modifying mobile OS to obtain file system read and write access
Memory Searching Accessing external process memory
Modifying and manipulating data (e.g., financial data)
Repackaging Changing and compromising normal apps (e.g., fake banking app)
File Manipulation Manipulating data or files saved to mobile device storage
Pixel Sampling Manipulating control by obtaining and analyzing the RGB value of screen pixels
Malware Hacking mobile devices using malware to launch another attacks (e.g., DDoS)
Packet Manipulation Manipulating packet sent when communicating from app

Source: AhnLab

AhnLab V3 Mobile and Robust
Engine
In order to protect the mobile
environment, AhnLab, Inc. provides
various mobile security products
AhnLab V3 Mobile 2.0, AhnLab
V3 Mobile Plus, AhnLab Safe
Message and AhnLab V3 Mobile
Security; AhnLab V3 Mobile 2.0,
a mobile anti-virus application for
the Android-based mobile devices;
AhnLab V3 Mobile Plus, a mobile
transaction security solution
that interoperates with financial
applications and is adopted by more
than 90 financial institutions in
South Korea; AhnLab Safe Message,
an anti-SMiShing application; and
AhnLab V3 Mobile Security, an
Android-based mobile security
solution that supports malware
scanning and privacy protection.
These mobile security solutions
employ AhnLab V3 Mobile
engine to provide robust mobile
protection. The V3 Mobile engine
has received high scores in the
protection and performance tests
of AV-Comparatives and AV-TEST.
Ever since AV-TEST started testing
the mobile environment in 2013,
AhnLab V3 Mobile engine has
participated in the tests and been
verified for the 16 times (as of July
2015). Furthermore, 8 out of the 10
tests from 2014 to July this year, V3
Mobile engine scored a 100 percent
malware detection rate. Furthermore,
in the latest test conducted in July
2015, V3 Mobile scored 100 percent
both in the protection test and new
real-time detection test. It also scored
full marks in the usability test (impact
of battery life, slowdown of device
and traffic generation). It scored 13
out of 13 with additional scores from
the Features section, and earned the
AV-Test certification.

Figure 2 AhnLab V3 Mobiles Test Result from Global Comparative Tests

Source: AhnLab (March 2015) A Smart Choice for a Mobile-Only Era Issue 10 3
What makes AhnLab V3 Mobile Engine powerful?
What is the secret to AhnLab V3 Mobile being highly evaluated by security researchers? As the largest security vendor in
South Korea with more than 20 years of knowhow, AhnLab has developed exclusive technologies in malware collection,
analysis, categorizing and response. AhnLab V3 Mobile has been designed with AhnLabs exceptional technology and has

Figure 3 AhnLab Mobile Malware Response Process

Source: AhnLab

its own automated analysis program-
based mobile response process
system.
AhnLab presents AhnLab Malware
Response Process, which consists
of AhnLabs malware response
knowhow and automated analysis
system. With this process, it takes
less than 20 minutes to collect and
analyze malware samples and update
signature rules in the V3 Mobile
engine [see Fig. 3].
First, malware samples are collected
through various routes such as
AhnLabs products, programmed
crawler, 3rd party partners and
customer inquiries or reports.
AhnLab Malware Processing (AMP),
a web-based malware collecting
system, automatically processes the
samples submitted by customers.
Then, the collected samples are sent
to IRIS, a mobile heuristic analysis
system developed by AhnLab
Security Response Center. IRIS
collects and automatically analyzes
the Android apps, extracts malicious
traits, categorizes into similar groups
and makes a final diagnosis. In other
words, it shows the diagnosis result
and sample information by priority in
order to enable a proactive malware
response.
In this process, there exists special
structures that reflect the knowhow
of AhnLabs analysts; CANNON
is a real-time sample processor that
extracts sample information and values
for malicious/non-malicious diagnosis.
The malware analysts at AhnLab
create rules based on the Android files
extracted from CANNON and save
them to the DB. CHARKA is a real-
time network diagnosis engine that

4 A Smart Choice for a Mobile-Only Era Issue 10

 Figure 4
Source: AhnLab
diagnoses ever-increasing SMiShing
malware. When AhnLab Safe
Message collects SMiShing samples,
the server downloads the samples that
will be processed by CHARKA.
The recently developed DEVIL (DEx
VIsuaLizer), is an analyzer that
visualizes a mobile apps life cycle
and the correlation of malicious app
components. Malicious behaviors can
be diagnosed by viewing the class the
components are in.
DEVIL: Lifecycle APPs Component as Graph
Since 2014, AhnLab built its own
mobile malware response process
and automated the collection-
categorizing-analysis-response
system. The system provides a fast
response by processing 100,000
malware samples a day. AhnLab has
also minimized false-positives by
putting default apps and normal apps
from Android Market in a Whitelist.
The diagnosis has been sped up
using the caching and fingerprinting
techniques.
That is the reason why major
smartphone manufacturers such
as Samsung and LG have adopted
AhnLab V3 Mobile 2.0 as a built-in
application in their mobile devices
released in South Korea. AhnLab
continues its research in diagnosis
techniques and in conducting projects
on automatic categorization to
maintain its number one position in
the mobile security area.
Source: AhnLab
A Smart Choice for a Mobile-Only Era Issue 10 5

Protecting Mobile Devices Against Malware
and Potentially Unwanted Applications
Mobile malware numbers are
growing. New attack vectors from
mobile devices pose an emerging
risk to the enterprise. Organizations
with high security needs must have
a strategy to defend against mobile
malware and potentially unwanted
applications.
Key Findings
Mobile malware is leveraging
new attack vectors that may pose
increased risk to the enterprise.
iOS and Android devices do not
have to be jailbroken or rooted to
be susceptible to attack.
Android is currently the largest
target for mobile malware and
unwanted applications, but iOS
malware and attacks have begun to
surface.
Some mobile anti-malware
solutions only protect after the
phone is infected, due to the lack of
access to the kernel.
Windows Phone is still not
targeted by malware authors or
mobile security solution providers,
partially because of the lower
market penetration.
Recommendations
E Evaluate the risks and new
tactics being leveraged on mobile
devices by malware.
Look to mobile device security
solutions with cloud-based
application reputation services and
integration with current MDM/
EMM solution.
6 A Smart Choice for a Mobile-Only Era
From the Gartner Files:
Verify applications are installed
only from trusted sources.
Deliver training to drive user
awareness of what permissions
mobile applications are requesting
to help reduce unwanted
applications from being installed.
Comparison
The mobile attack landscape has
continued to grow and change with
the increase of smartphone and
tablet sales year over year, and the
proliferation of bring your own
device (BYOD) in the enterprise.
Every year, we see new statistics
claiming hundreds of percentage
growth in mobile malware, but what
does that mean to the enterprise IT
staff? Is mobile malware a risk to the
enterprise? And what are potentially
unwanted applications?
Let us start by defining mobile
malware as a program or piece of
code that exploits a vulnerability
to impose a security risk to a users
mobile device and/or information.
Categories of malware include
viruses, rootkits, worms, botnets,
spyware and trojans. Potential
unwanted applications are programs
that have been installed on mobile
devices, usually with the users
consent, but with unclear intentions
that can have negative consequences
to privacy or to the performance of
the device.
The most attacked mobile platform
in 2014 was the Android OS. This
was due to its openness, multiple
versions, numerous app stores and
device numbers of over 1 billion
Issue 10
worldwide. F-Secure reported
275 new threat families in 1Q14
alone on the Android platform.
Kaspersky Lab reported that from
August 2013 through July 2014,
over 1 million Android users were
attacked 3.4 million times. These
numbers, compared with the total
number of devices and the PC threat
landscape, are relatively small.
Although we dont have evidence of
confirmed mobile malware attacks
on enterprises, the new types of
attacks and vectors should create
concern with high-security-minded
organizations. Other organizations
may not need to implement mobile
malware solutions yet, but should
keep apprised of the threat landscape
and have compensating controls to
protect their enterprise resources.
Mobile OSs have been designed to
be more resilient against some of the
traditional attacks, so it becomes
more difficult for the security
vendors to have signature-based
solutions. There is no concept of
kernel mode access for the security
solutions to fully protect against
malicious attacks. This has driven
alternate methods for mobile security
solutions to try to secure the devices.
Furthermore, not all methods of
protection are available for all of the
different mobile OSs, because of their
different approaches to architecture.
For example, Android allows for
more access to configuration, policy
settings and other phone resources,
versus iOS and Windows Phone,
which lend themselves to solutions
based upon behavioral or machine-
learning engines to monitor the
 Table 1. Mobile Security Solution Effectiveness vs Attacks
Mobile Attacks Anti- Anti-Malware Platform Mobile MDM/EMM Education Network-
Malware Signatureless Protection App
Signature
Mobile Malware D, R
Kernel Level/
Jailbreak/Root
HW/USB
Unwanted Apps D, R
Network-Based
Malicious Profile
iOS
Legend: D = Detect, P = Prevent, R = Remediate
*- Will only prevent if the malicious website is known to the back-end service.
Source: Gartner (March 2015)
changes on the device and determine
possible risk. One example was the
Zeus-in-the-mobile malware that
targeted SMS notifications sent by the
banking industry for authentication
codes. This malware was successful on
Android because it was granted access
to the SMS channel of the device,
whereas iOS does not allow this type
of access by applications.
Table 1 discusses which types of
solutions are effective in detecting,
preventing and remediating against the
different categories of mobile attacks.
For more details on the different
protection solutions, refer to the
Mobile Security Solution section.
Some of these solutions are not
available on all the platforms due
to the architecture of the mobile
device, as discussed above. In Table
2, we compare the effectiveness of
the solutions to the mobile OS and
recommended possible solutions to
prevent the mobile attacks listed in
Table 1.
Safe
Based Browser
Risk Protection
Mgmt
D, P D, P, R D R
D P, R D, R
D, R P, R D, R
D, P, R D, R D, P, R
D, R
D, R R D, P
Anti-malware signature-based
solutions are currently only available
on Android due to the nature of
access to the OS, but in many cases,
they can only detect and remediate
the malware after it has been installed
and the signature has been updated
on the device. The anti-malware no-
signature solutions are based upon
behavioral, device or configuration
analysis. They can be more effective
than signature-based solutions and
are available on Android and iOS.
These solutions have more access to
the Android OS due to the openness
of the OS, and have more possible
visibility into the health of the
device and applications. They are
less mature on iOS due to the lack
of access to the system, applications
and configurations. Android, iOS
and Windows Phone have built-in
OS platform protections, such as
device encryption, address space
layout randomization (ASLR),
data execution prevention (DEP)
and secure boot, just to name a
few. Mobile application reputation
solutions are available on Android
D P*
D, P, R P*
D, P D P*
D, P, R D, P*
D P*
and iOS. These are recommended
when Android or jailbroken
iOS devices are using third-
party application stores, and IT
organizations want to understand the
risk scores of installed applications.
Mobile device management/enterprise
mobility management (MDM/
EMM) solutions are available
on Android, iOS and Windows
Phone, and can be integrated with
some of the anti-malware, mobile
application reputation solutions
or network-based solutions to
help with remediation activities.
Network-based solutions like secure
Web gateways (SWGs) or VPNs
are available on Android, iOS
and Windows Phone, and can be
leveraged to secure network traffic on
fully managed devices to prevent man
in the middle (MITM) attacks. Safe
browser solutions are available on all
three platforms, but only help prevent
attacks if the malicious websites
have been identified in advance in
the Internet Protocol (IP) reputation
portion of the solution.
A Smart Choice for a Mobile-Only Era Issue 10 7

Mobile Security Solutions
Anti-Malware Signature
Anti-Malware
Signatureless
Platform Protection
MARS
MDM/EMM
Network-Based
Safe Browser Protection
Source: Gartner (March 2015)
Analysis
There is a misconception that
malware is the same on mobile
devices as in the traditional desktop
world. The problem with this
statement is that mobile architecture
is built to prevent some of the
attacks that succeed on the desktop.
Many of the new mobile operating
systems do not allow access to the
kernel; they have application-level
containerization, secure boot for
the system, secure browsers without
add-ons and other security features
that prevent the common desktop
malware from being effective. Apple,
Google and Microsoft have built-in
security features to reduce the attack
footprint of the mobile device. For
a deeper dive into the latest security
features, reference the Gartner
research on Mobile Device Security:
A Comparison of Platforms.
In many cases, traditional anti-
malware agents installed on mobile
devices cannot prevent malicious
software from being installed because
they do not have access to the kernel,
8 A Smart Choice for a Mobile-Only Era
Table 2. Mobile Security Solution Effectiveness per OS
Android iOS
Available Partially Not Available (N/A)
Effective
Effective Partially Effective
Available Available
Recommended: Recommended:
Android 4.3 or higher iOS 7 or higher
Samsung Knox
Highly Effective Effective
Effective Effective
Effective Effective
Partially Effective Partially Effective
and therefore do not have visibility
into what is being installed until after
the fact. This is why vendors are
looking to alternative ways to protect
mobile devices. Many vendors have
built application reputation services
that can be integrated with MDM
or EMM solutions to help the
enterprise manage the applications
installed on the mobile devices. The
IT organizations can then set policies
and actions to take based upon the
risk level of the applications. The
other options for detecting malicious
actions are to monitor the network
stack, or to force all traffic through
a VPN or secure Web gateway.
This allows the security solution to
gain an understanding of where the
applications are connecting to, and
then leveraging an IP reputation
service to compare against known
malicious sites.
According to mobile malware
security reports from 2014, the
majority of malicious attacks are
based upon the trojan category. Some
examples of trojan behavior on the
Issue 10
Windows Phone
Not Available
N/A Currently Not Required
Available
Recommended: Windows Phone 8.x
N/A Currently Not Required
Effective
Effective
Partially Effective
mobile devices include SMS sending,
file or app downloading, location
tracking, banking fraud, data theft,
and fee charging, just to name a few.
Most mobile malware attacks on
individuals are motivated by profit.
The mobile security vendors have
seen possible trends of attackers
that are looking to steal personal
information for a possible spear-
phishing attempts. Once infected, the
mobile device could also be leveraged
as a new attack vector to infiltrate the
enterprise PCs and networks.
New and Expanded Attack
Vectors
In the recent mobile threat reports
from F-Secure, Kaspersky and Cisco,
there have been increases across the
board for Android and iOS mobile
threats. The latest generation of
attacks has begun to implement new
attack vectors that IT organizations
need to be aware of to defend the
enterprise. Figure 1 shows a few of
the most prevalent sources and paths
for mobile malware to attempt to
gain access to the enterprise.

Cloud Storage
Malware
Source
Website
Unwanted
Application Source
App Store
Malware
Source
Unsecured Public Wi-Fi or
Stingray/Cell Phone Tower Masquerading
Source: Gartner (March 2015)
One of the main sources for
todays attacks are the nonstandard
application stores. These are
third-party, private or hacker-run
application stores, potentially
filled with malicious or unwanted
applications. Android allows
applications to be installed from
multiple application stores, while iOS
devices must be jailbroken to leverage
third-party stores. One common
practice for the malicious actors is to
get popular applications, repackage
them with malicious code and submit
them to third-party app stores.
Another source of malware comes
from malicious websites that try
Figure 1 Mobile Attack Vectors
Internet
Remote
Access
USB
to install mobile applications,
profiles or certificates on the users
device. Once an iOS user installs a
malicious profile with an attached
root certificate, the device can be then
controlled, and all traffic (encrypted
or unencrypted) can be sniffed by
the malicious author. Unsecured
public Wi-Fi networks or stingray
(cell tower masquerading) tactics can
also pose a network-based threat for
MITM-style attacks. These attacks
allow for unencrypted IP traffic
for the Wi-Fi and voice traffic for
the stingray device to be sniffed.
Sometimes they can be combined
with other forms of malware that
allow for decryption of traffic as
SMS/MMS
Enterprise
Corp
Storage
Enterprise
Wi-Fi
well. Email, SMS and Multimedia
Messaging Service (MMS) are
other attack vectors that can
have embedded links to malicious
applications. Once infected with
malicious code, the next step is not
always targeting the mobile device,
but possibly targeting the users other
devices through USB connections, or
over the carrier network or Wi-Fi to
cloud storage or corporate resources.
For example, there were Android
games that would create an infected
PDF, HTML or other file type, and
then sync it up to a cloud file store.
Then when the user opened the file
on a Mac or PC, it had code targeting
the desktop OS.
A Smart Choice for a Mobile-Only Era Issue 10 9
 Table 3. Mobile Attacks Discovered and Targeted by Operating System
Mobile Attacks
Mobile Malware
Kernel Level/Jailbreak/Root
HW/USB
Unwanted Apps
Network
Mobile Websites
Malicious Profile iOS
Source: Gartner (March 2015)
Table 3 compares the categories of
mobile attacks and the operating
systems on which they have been
discovered in the wild.
Jailbroken and Rooted Devices
Another common misperception
is that malware can only affect
jailbroken or rooted devices. This is
not true.
In recent years, there have been
numerous malicious attacks on
nonjailbroken or nonrooted devices.
One example on iOS was the
WireLurker malware that began by
infecting Mac OS X systems and
then waited for an iOS device to
be connected via USB. It then was
able to install additional malicious
software onto nonjailbroken devices.
On Android, researchers discovered
vulnerabilities in the base OS that
would allow the malware to silently
install and elevate privileges during
system updates; these were called
pileup exploits.
The risks to mobile devices
increase if the devices have been
jailbroken or rooted. Enterprise IT
organizations should consider this
before letting these types of personal
devices onto corporate networks,
or putting corporate information
and applications on jailbroken
10 A Smart Choice for a Mobile-Only Era
Android iOS Windows Phone
Yes Yes No
Yes Yes No
Yes Yes No
Yes Yes Yes
Yes Yes No
Yes Yes No
N/A Yes N/A
devices. Once the devices are in this
elevated privilege mode, malicious
applications will be able to modify
the systems with admin-level access
in some cases, not even prompting
the user. Most MDM/EMM solutions
claim to provide jailbreak/root
detection, but are not always effective
due to the nature of the attack
targeting the kernel of the OS. If the
agents are running in standard user
mode, they could be misled if the
devices are rooted or jailbroken.
Android: The Largest Target
Android is currently the most
targeted mobile operating system.
Some of the factors that make it
such a large target are the number
of devices worldwide, the openness
of the OS and the ability to run apps
from multiple sources. One report
from Kaspersky estimated 98.05%
of mobile malware was detected on
the Android platform. They detected
175,442 unique malicious programs
in the first half of 2014.
One of the main motivations for
mobile attacks is profit. Along those
lines, premium SMS-based attacks
continue to be in the top lists of most
of the major threat reports. In 2014,
the category of trojans were the most
detected type of attack on Android.
Some of the tactics leveraged by
Issue 10
trojans included chargeware and
ransomware attacks. Chargeware
is defined as software that allows
an attacker to leverage personal
devices to incur some type of fee or
charge, without the knowledge of
the user until the bills begin to
arrive. According to F-Secures 1Q14
Mobile Threat Report, the SmsSend
trojan that sent texts to premium
rate services accounted for 34% of
the detected threats on Android.
Ransomware restricts users from
accessing their devices until a fee is
paid to the creator of the malware.
ScareMeNot and ScarePakage, two
mobile ransomware packages, were
detected by Lookout in 2014 and
finished in the top five mobile threats
for the U.S., U.K. and Germany.
Mobile Application Stores
Nonstandard mobile application
stores are among the largest sources
of mobile malware today. The
major OS providers have built
application-vetting practices to help
defend against malware, which have
dramatically reduced the number
of malicious programs in their
stores. But there are many users
who leverage alternative mobile
application stores for Android
or iOS that do not have the same
dedication to privacy. This practice
is more common for users who
have jailbroken or rooted devices,
and some devices in markets where
the devices are purchased unlocked
and then taken to the carrier for
activation. Some of these carriers
then install smaller or less-curated
application stores where the
applications may have a higher rate
of infection.
 Figure 2
Source: F-Secure
This problem does not only pertain
to Android. There are third-party
application stores for iOS as well.
Cydia is the most popular alternative
to Apples App Store. It requires
the device to be jailbroken for
the applications to be installable.
Cydia offers applications that Apple
has rejected for violating their
curation processes or competing
with their applications, as well as
applications that allow for additional
configurations that Apple has blocked
to mainstream users. This practice is
more common in Asia, as it allows
users there to operate their devices
more effectively.
Android Mobile Store Malware Infection Rates
In the Mobile Threat Report from
F-Secure for 1Q14, 275 new threat
families were discovered for Android,
which made up 91% of all the
discovered malware. Google has
done a good job on monitoring the
security of their Play Store, but some
of the third-party stores such
as the ones in Asia and the Middle
East (Mumayi, AnZhi, Baidu) that
repackage applications do not
have the same stringent security
practices. Figure 2, from F-Secure,1
shows that less than 0.1% of the
samples received from the Google
Play Store were infected, versus up to
8% of samples from stores like Baidu
and even 33% from the small, private
Android159 store.
Even though the Google Play
and Apple Store have built highly
functional mobile application
curation, potentially unwanted
applications still exist in each
store. The 2014 Appthority App
Reputation Report revealed that
78% of the top Android paid apps
and 87% of the top iOS paid apps
had at least one of the top 10 risky
behaviors detected. This shows that
even though Apple and Google are
removing malicious applications
from their application stores, mobile
developers are still able to create
applications that mine personal and
possibly corporate data, and have
them published in the main stores.
A Smart Choice for a Mobile-Only Era Issue 10 11
Mobile Security Solutions user, request device administration are very basic levels of protection
privileges, enable USB debugging compared with the capabilities
Mobile security solutions began with
mode, or enabling unvalidated app of server and desktop endpoint
basic anti-malware solutions based
mode. Any of these modifications protection solutions, largely due to
on signatures to detect malicious
can introduce more risk to the device the agents being at the kernel level to
applications primarily aimed at
in the longer term. On iOS, these detect threats.
the consumer market. There are
options do not exist, and Apple
a few vendors beginning to build Figure 3 maps out various mobile
blocks applications that require
enterprise offerings that allow for security solutions to provide
any type of elevated privilege,
corporate reporting, management protection for the mobile attack
so the mobile security vendors
and integration with MDM/EMM vectors discussed above.
focus on process monitoring, OS
solutions. With the lack of access to
version checking, theft prevention,
kernel mode, access or the lack of
basic security setting and profile Built-In Platform Protection
visibility into the different containers
monitoring, network monitoring, Modern mobile platforms, including
scanning for malware happens after
and safe Web browsing. Currently on iOS, Android and Windows, have
the install has occurred, which is
Windows Phone, the only third-party strong native controls that protect
too late. On Android, some of the
mobile solutions available target safe against initial infection and limit the
options to enable more visibility are
Web browsing applications. These impact of malware on the device.
to root the device and become a super

Figure 3 Mobile Security Solutions

Internet SMS/MMS

Network Service Enterprise

Cloud Storage
Corp
Storage

Antivirus Anti-
virus

Education Anti- MDM

and Training Malware Agent Enterprise
Security MDM/
Gateway EMM Wi-Fi

App Store App Risk USB

Mgmt Srvcs Antivirus

Unsecured Public Wi-Fi or

Stingray/Cell Phone Tower Masquerading

Source: Gartner (March 2015)

12 A Smart Choice for a Mobile-Only Era Issue 10

For more details on native security
controls for the most popular
mobile platforms, see Mobile
Device Security: A Comparison of
Platforms.
In summary, native controls that may
protect against initial installation of
malware include:
App vetting: The major app stores
validate the security of apps before
they are placed for download.
Moreover, when malicious
behavior is first detected after being
placed on the store, the application
may be removed from the store
and, in some cases, removed from
mobile devices.
In-OS reputation check: In
Android, the Google Play service
can check the reputation of any
Android app installed on a device
(note that users may disable
this). The app verification service
checks apps independent of the
deployment channel, and supports
both install and periodical scans.
In Apple, Windows Phone and
other mobile devices, third-party
solutions are required for checking
the reputation of installed apps
(various EMM and app reputation
solutions offer this).
Even after users or devices have
downloaded a malicious app, the
following common native platform
controls limit the impact of the event:
Kernel security: OSs use kernel
security features such as ASLR
and DEP to complicate privileged
access after exploiting software
vulnerabilities. Some platforms,
such as Android, move to
mandatory access control.
App signatures and app runtimes:
All code on mobile devices is
signed. In some cases (such as
iOS), the signature is placed by
the device vendor, but in most
cases signatures are used to
uniquely identify the author. Some
platforms (BlackBerry, Microsoft)
only allow access to sensitive
resources if the app is signed by
the vendor, while others allow
the sharing of data between apps
signed by the same signature.
Boot and OS integrity checks:
Most modern mobile platforms
check the integrity of the boot
files at boot time. Some mobile
platforms (for example, Samsung
Knox devices) have implemented
runtime integrity checks that
continuously validate the
authenticity of OS components
against a known good state.
Isolation: With large differences
in implementations (through
runtimes or OS separation),
modern mobile devices isolate
apps from each other and limit
access to sensitive and critical
platform services. This limits
the impact of a nonprivileged
(malicious) app to access other
apps memory and storage.
Native security controls in modern
mobile devices have been shown
to be very successful in mitigating
malware risk. Native controls suffice
for protection against malware for
the most security-conscious users
(no jailbreak, vendor app store,
up-to-date OS and apps, awareness
to detect VPN profiles, protection
against risky networks, etc.).
Mobile Anti-Malware
Mobile anti-malware exists in many
flavors, yet all solutions have one thing
in common: The isolation between
apps does not allow any sensible in-
memory, third-party, anti-malware
scans that are common in desktop OSs.
For most users, mobile anti-malware
solutions do not add sufficient value
on top of native platform controls.
Mobile anti-malware solutions can be
considered for high-risk environments
or in situations where deployment
channels other than the native app
stores are used.
Two technologies have emerged on the
mobile device anti-malware market:
signature-based and signatureless
solutions.
Signature-Based Mobile Anti-Malware
Mobile devices have different
approaches to anti-malware clients.
Windows Phone includes Windows
Defender, which cannot be replaced.
iOS does not allow for traditional
signature-based anti-malware solutions.
This leaves Android, for which the
number of malware samples and the
number of market players have grown
rapidly over the past three years.
Signature-based Android anti-malware
solutions are limited to static scans of
the Android application package (APK)
files on the device, which are restricted
in storage size and generally cannot be
expected to have broadband Internet
access for downloading millions of
signatures. Some vendors are replacing
the Android installer to help detect
malware before it is actually running
on the device. These solutions cannot
access memory or network traffic, so
are reduced to the most basic scanning
imaginable. Even with heuristics,
malware can easily evade detection by
using polymorphism.
A Smart Choice for a Mobile-Only Era Issue 10 13
Many Android anti-malware
solutions primarily target consumers
and often combine anti-malware
with antitheft and privacy scanning
features (like AVG). Nevertheless,
some vendors (like Kaspersky) have
enterprise support and integrate their
solutions with EMM solutions or
as part of their enterprise endpoint
protection platform (EPP) solution.
Unfortunately today, most enterprise
anti-malware offerings for mobile
devices only integrate with the
vendors own EMM, rather than
with the independent EMM leading
vendors. The trend seems to be
changing as the vendors see the value
of integrating with established players
to augment their solutions.
Signatureless Mobile Anti-Malware
Some vendors have acknowledged
the uselessness of signature-based
scanning on mobile devices to protect
against unknown malware, and are
exploring new detection methods to
overcome these limitations.
The first method focuses on the
detection of malware by machine
learning. The idea is that by
building a model of known good
and known bad, and feeding it with
all intelligence available, previous
unknown malware can be detected by
observing the system state. Example
solutions in this space are Lacoon
Mobile Security, Lookout and
Zimperium.
Other solutions focus on detecting
compromised machines that may
not be due to malicious apps. For
example, an attacker may have
focused on subverting DNS, or
redirecting all traffic to their own
server (VPN configuration on proxy
setting) or adding trusted root
certificates for a man-in-the-middle
14 A Smart Choice for a Mobile-Only Era
attack. Various solutions, such as
Lacoon and Skycure, focus on these
configuration-style attacks.
Another type of solution focuses on
detecting the state of the device, which
version of the OS is installed, whether
the device has a passcode, whether
the device is rooted and what type of
network sites are being visited. An
example solution here is NowSecure.
Mobile App Risk Management
The previous section showed that on-
device scanning is effectively reduced
to the most basic of signature scans:
A verdict is based on a complete
file (in Androids case) or even less
information (in iOS). Other solutions
may use a cloud-based service, such as
solutions from Appthority or FireEye.
Cloud services provide security
information about specific
applications, and most often provide
more than just a malware verdict.
They also often include reputation
information (prevalence, age, risk
score, privacy score). Once the
application ID is determined (by
analyzing the binary, using an agent on
the device; or by integrating with an
EMM application inventory feature),
the app is compared to the cloud-
based service list for a risk score. If
the application is new to the service,
then the application is installed on a
virtual instance of the mobile OS in
the cloud, then analyzed for security
issues. Based upon the analysis, a new
risk score is assigned and sent back
to the management console. In pure
isolation, mobile app risk management
cloud reputation services are not
immediately usable for enterprise
users. Most often, they integrate with
mobility management and/or security
solutions, such as EMM or SWG for
policy enforcement.
Issue 10
Enterprise Mobility Management
Even though EMM solutions do
not include anti-malware controls
themselves, their use is key in the
detection and remediation of mobile
malware. First, EMM agents may
include rootkit detection functionality
that can determine whether the
mobile device was compromised
using a known rooting or jailbreak
technique. Note that the detection
of unknown privileged malware is
as difficult on a mobile device as it is
detecting rootkits on a desktop PC,
and most EMM agents will be limited
in their protection capabilities. Any
rooted or jailbroken device may be
denied access to corporate resources
or even remotely wiped through the
EMM platform.
Another critical capability of EMM
is the control and management of
applications. EMM may provide
inventories of all installed mobile
applications and integrate with
a mobile app risk management
solution to determine the risk level
for a specific device. The capability of
EMM to manage applications beyond
inventories (that is, the installation
and deinstallation of applications)
greatly differentiates between mobile
platforms. Often, application control
is limited to managed applications
(applications that are installed
through the EMM), which are often
of limited use for detecting and
removing malware. On supported
platforms, EMM may be used to
deinstall malicious or potentially
unwanted programs. For details on
the capabilities of app monitoring
and controls per mobile platform,
see Mobile Device Security: A
Comparison of Platforms.
Network-Based Security
In many organizations, a constant
challenge is corporate-owned devices
versus BYOD. As malicious attackers
target corporations, there is a real
threat from outside mobile devices
coming on to the enterprise network.
An additional layer of defense
to help mitigate some of the new
mobile attacks can entail network
segregation by creating mobile-only
wireless networks connected directly
to the Internet, and not allowing
access to the corporate virtual LANs
(VLANs). For more information on
network access control, see Gartners
Using NAC to Reduce Risk Related
to BYOD and Unmanaged Devices.
Mobile devices used on the corporate
network via corporate gateways can
be protected based on the observed
network traffic. The same holds
for managed mobile devices, where
traffic can be redirected to cloud-
based SWGs such as Zscaler.
SWGs or next-generation firewalls
(NGFWs) expand their support for
mobile devices. Gateways will be able
to identify mobile apps based on the
observed traffic or the download of
applications, add risk scores to these
apps, and block specific functionality
for apps (for example, to allow
the use of a file sync solution but
block the upload of files). For the
detection of malware in unknown
applications, some solutions include
network sandboxes that can detonate
unknown mobile apps.
Mobile Application Stores
Managing and monitoring which
application stores are enabled on
mobile devices becomes critical
to reducing the unwanted and
malicious apps installed and
possibly propagated into the
enterprise. EMM solutions typically
support the management of app Awareness and education should
deployment channels for more open teach users three things:
environments, such as Android
What not to do: Even in managed
(in practice, this often entails the
environments, users of mobile
restriction to the official app store).
devices have various ways to evade
Apple, Google and Microsoft have
or disable security technology.
programs and procedures in place
Users may try to change
to curate the applications in their
(corporate) proxy settings, install
stores. These vendor sites may still
new (potentially malicious) security
contain malicious applications,
profiles, remove corporate security
but the time to remove them is
profiles, sideload applications,
generally faster than the smaller
or even jailbreak or root a device
third-party application stores. If
(see the Details section below for
your corporation uses enterprise
more information). Users should be
application stores for internal
made aware of the individual and
mobile application development,
corporate risks for their actions.
it is important to establish mobile
There is a broad spectrum of ways
app security verification procedures.
to accomplish this, from helping
Third parties such as Veracode, HP
employees protect themselves,
and IBM Security AppScan can scan
recommending remediation actions
enterprise mobile applications for
or mandating policy upon access to
possible threats and vulnerabilities
the enterprise.
before release to the enterprise
application store. For more What events to watch for: Educate
information, see Gartners Six users to detect events that may
Principles of Comprehensive Mobile indicate malware or unwanted
App Security Testing. applications, such as requests for
excessive permissions, unexpected
Education and Training pop-ups and messages with
Users are critical agents for detecting suspicious links. Users should
any type of security breach, also understand the approved
potentially unwanted applications sources for applications, such as an
and mobile malware. Users often are enterprise repository or the main
seen as the detection agent of last vendors application store.
resort, but awareness and education
How to respond to events: A
can transform users into a detection
concise, documented and tested
agent of first resort. It becomes
process for incident management
critical to educate users to the risk
and response must be part of any
to themselves and the separate risk
user education process. Help desk
to the company by their actions on
contacts should be at the fingertips
their mobile devices. For example,
of all users on each of their devices.
if a user installs a highly rated
Incident response greatly depends
flashlight application that has every
on the mobile platforms: Some will
possible access on the mobile device,
only allow for user notification
what is the risk to their personal
(please deinstall that malicious
information and then the possible
app), while others allow for full
impact if the user brings that device
remote management of the mobile
into the enterprise? A basic flashlight
device (sit back and wait while we
application should only have access
fix the issues).
to turning the flash on and off.
A Smart Choice for a Mobile-Only Era Issue 10 15
Guidance
Protect against these new types of
attacks and deal with the challenges
of the mobile operating systems by
taking the following steps:
1 Evaluate the risks and new tactics
being leveraged on mobile devices
by malware.
The first step is to better
understand how the new mobile
attacks can gain access to
corporate resources. The attack
vectors and effectiveness vary
by mobile OS, user behavior,
applications installed, state of the
device and the networks the device
has connected to.
The next step is to understand the
business requirements for mobile
devices and what type of access
they require. There can be
different strategies and solutions
for BYOD versus fully managed
corporate devices.
2 Look to mobile device security
solutions with cloud-based
application reputation services and
integration with current MDM/
EMM solutions.
Next, map out the strategy and
solutions required to defend against
the new types of attack vectors.
Unfortunately, as we have seen
in Table 1, there are no complete
solutions to defend against all
the new attack vectors. It takes
a combination of new mobile
security solutions and integration
with existing device management
and endpoint protection solutions.
16 A Smart Choice for a Mobile-Only Era
Another option is to leverage a
network isolation strategy for
mobile devices for example,
a mobile-only wireless network
with Internet-only access. Another
option would be to leverage a
SWG or NGFW between the
mobile and corporate networks.
These network-based options do
not eliminate the mobile malware
or unwanted application problems,
but they can provide a buffer to the
enterprise. The other connectivity
vectors should also be considered
when planning the mobile security
strategy, such as USB connections,
public cloud synchronization, email
and other collaboration solutions.
This is where other compensating
controls will help reduce the risk of
the mobile device attack vectors.
2 Verify applications are installed
only from trusted sources (Google
Play, Apple Store, Windows Store
or eEnterprise apps stores).
As we have seen, mobile
applications from third-party
application stores have a higher
rate of infection. To help reduce
the risk, look for ways to
determine the application sources.
On Android, configuration settings
can verify that applications are
installed from the Play store. On
iOS, the device must be jailbroken
to use a third-party app store.
There are solutions that can
manage these settings and report
on the configuration of the devices
and installed applications.
4 Deliver training to drive user
awareness of which permissions
mobile applications are requesting.
This approach can help reduce
unwanted applications from being
installed.
Issue 10
User awareness training will not
solve the issue completely, but
it will help at the root of the
problem. Most users do not ever
read the access requirements when
installing applications on their
mobile devices. One way of gaining
understanding of the risk is to
position the training as beneficial
to both the individual and the
enterprise. As users become aware
of the personal risks that many of
their favorite applications have
to their own privacy, position the
possible risk their applications can
have to the enterprise. An educated
user can help reduce the risks to
themselves and to the enterprise if
they do not install, for example,
the flashlight application that has
full access to their devices.
The Details
Jailbreak, Rooting, Device
Administration and Sideloading
Jailbreaking, rooting and sideloading
are processes for bypassing access
controls and elevating account
privileges. These actions are
employed to change carriers without
permission, to activate tethering
without permission from a carrier, to
install unauthorized and/or pirated
apps and services, and to change
the user experience. File systems
on altered devices may be left in a
vulnerable access state, and unwanted
processes may be active. For example,
Secure Shell (SSH) may be running
with a default password.
Jailbreaking Jailbeaking is
modifying iOS to allow file
system read/write access, as well
as to bypass various safeguards,
including protected APIs and code
verification. Jailbroken devices can
run applications and services not
approved by Apple, from sources
outside of Apples App Store.
Rooting Rooting refers to
obtaining administrative, system
root or superuser types of privileged
access for the Android OS, in a
manner similar to Linux. The OS and
device firmware may be replaced or
significantly modified on a rooted
device.
Device administration mode
Android 2.2 introduced support for
enterprise applications by creating
specific APIs to manage security
policies, prompt for net password
setting, lock the device and perform
remote wipe. Mobile security
vendors and EMM solutions may
request this level of elevated access.
If a malicious application achieves
this level of permission, it can then
attempt to hide itself from the device
administrator list of applications,
which can make it very difficult to
remove without a full wipe.
Sideloading Sideloading is the
practice of installing programs
onto a device outside of the control
and restrictions of an authorized
app store. Sideloading originally
referred to apps loaded by a direct
connection, such as a memory
card or a USB drive, but has been
generalized to refer to installations
from unauthorized sources, such as
a designated app store. For Apple
devices, jailbreaking is usually a
prerequisite for sideloading apps.
Android has a user-selectable setting
that allows apps from unknown
sources. Access to that feature may be
modified by the device maker.
[See the Wikipedia entry for Sideloading and
the Open Web Application Security Projects
Mobile Jailbreaking Cheat Sheet for further
discussion.]
Mobile Attack Examples by OS
Android
In 2014, there were a number of new
families of mobile malware detected
on the Android OS. F-Secure reported
the following examples:
Droidpak This trojan targets
the mobile banking industry
by leveraging Windows PCs to
transfer the malware via USB to
Android devices. Variants included
Trojan-Spy:Android/Smforw.H or
Trojan:Android/Gepew.A or .B.
Tor Trojan Torsm.A is the
first trojan to leverage the Orbot
open-source client of the Tor
anonymizing network to connect to
the Command and Control (C&C)
server.
Oldboot.A This is believed to
be the first detected Android boot
kit. This malware was mainly
detected in China and spread
through firmware updates to affect
the earliest parts of the device boot
process.
Dendroid.A This is a toolkit
for creating remote access trojan
(RAT) that allows malicious
users to create trojans that can
remotely infect the audio and video
functions on Android devices.
This back door was able to evade
Google Play Store security checks.
2014 saw the increase of enterprise-
specific mobile malware attacks. The
following attacks were discovered
by Lookout, targeting enterprises in
the U.S. They estimated 6.4 million
Android devices were possibly
affected by these attacks:
NotCompatible This is a
trojan that creates an encrypted
proxy capability that, once run
inside a corporate network,
could enumerate networks or
communicate and infect others in
a large-scale C&C network. This
malware is spread on Android
devices that have the unknown
source option enabled.
TowelRoot and TowelExploit
These are root exploits that contain
elevation of privilege code that will
grant device administrator access
and then allow bypassing of a
devices security settings.
BasicSystemSpy This is a
surveillance malware that collects
device information. It can also
activate the microphone of the
compromised device and record
audio.
There were also instances of more
sophisticated trojans that combined
different types of attacks into one
malware package. Kaspersky detected
Backdoor.AndroidOS.Obad.a in
2013. This malware can send SMS
to premium rate numbers, and
download and install other pieces of
malicious code, while propagating
to other devices via Bluetooth and
remote console code execution
capabilities. Once the malware is
on a device, it tries to obtain device
administrator privileges and hide
itself from the device admin list
by exploiting some Android OS
vulnerabilities.
A Smart Choice for a Mobile-Only Era Issue 10 17
iOS
In November of 2014, Palo Alto
Networks published a paper on
WireLurker, a family of malware
that leveraged the Mac OS X USB
channel to attack connected iOS
devices. The malware monitors
the USB port for any iOS device
connections and then installs a third-
party application onto the device.
This exploit will work even if the
iOS device is not jailbroken. This
was initially detected in 467 OS X
applications in the Chinese Maiyadi
Mac application store.
iPhoneOS/Adthief.A This
is an adware-based trojan that
leveraged a suspicious library
in a popular app development
framework. This malware
required the iOS device to be
jailbroken. It then hijacked
advertising modules to display its
own ads.
FinFisher mobile remote access
trojan (mRAT) This leverages
a stolen developer certificate to
exploit its attack.
iOS leverages profiles to store
enterprise settings and certificates. If
a malicious attacker gains access to
a valid Apple developer or enterprise
certificate, they can use phishing
techniques to have nonjailbroken
devices install malicious profiles
from websites. The attacker can
then embed signed root certificates
in these new profiles. Once installed
by the end user, they will give
the attacker full control of the
iOS device along with decryption
capabilities to all the network traffic.
These types of attacks are very
dangerous and can allow full remote
execution of applications on the
infected devices.
18 A Smart Choice for a Mobile-Only Era
Windows Phone Windows Phone, they were focusing
Currently, no confirmed mobile on Android and iOS. Some of them
malware affects the Windows Phone stated that if there were changes in
8.x platform. This is not to say there numbers and customer demands, they
will not be in the coming years. would start investigating possible
There are a few possible explanations solutions for the Windows Phone
for this statement. Windows Phone platform.
devices are currently a distant third
place to Android and iOS in sales
Evidence
figures. Since there are billions of
1
F-Secure Threat Report, H2 2013
Android and iOS devices in use, it
F-Secure Mobile Threat Report
makes sense that malicious attackers
Q1 2014
will spend more time developing
malware for those platforms. As Cisco 2014 Annual Security Report
for unwanted applications, there
are instances of applications, such Fortinet Threat Landscape 2014
as flashlight apps, that request Lookout: Enterprise Mobile Threats,
more permissions than should be 2014
necessary to work. Microsoft has
built Windows Defender into the Source: Gartner Research Note G00271349,
Patrick Hevesi, Mario de Boer, 4 March 2015
Windows Phone 8.x architecture,
and has announced that a version
of Windows 10 will be available on
the phone, based upon the Windows
NT kernel architecture. It will be
interesting to see how many of
the security features will become
available on the phone, and whether
any of the desktop EPP solutions
could be leveraged on the phone
platform.
The mobile security solutions
developed for Windows Phone center
around secure Web browsing, as
there is limited access to the kernel
space from non-Microsoft developers
to add anti-malware solutions. There
are numerous other security features
built into Windows Phone for
example, when attached through a
USB port to a Windows PC, access
is limited to only the user portions
of the file system and blocked
from the root directories. At the
time of this research, many mobile
security vendors stated that due to
lower worldwide sales numbers for
Issue 10
 About AhnLab, Inc.
AhnLab creates agile, integrated internet security solutions for corporate
organizations. Founded in 1995, AhnLab, a global leader in security, delivers
comprehensive protection for networks, transactions, and essential services.
AhnLab delivers best-of-breed threat prevention that scales easily for high-speed
networks, by combining cloud analysis with endpoint and server resources.
AhnLabs multidimensional approach combines with exceptional service to
create truly global protection against attacks that evade traditional security
defenses. Thats why more than 25,000 organizations rely on AhnLabs award-
winning products and services to make the internet safe and reliable for their
business operations.

A Smart Choice for a Mobile-Only Era is published by AhnLab. Editorial content supplied by AhnLab is independent of Gartner analysis. All Gartner research is used with Gartners permission,
and was originally published as part of Gartners syndicated research service available to all entitled Gartner clients. 2015 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner
research in this publication does not indicate Gartners endorsement of AhnLabs products and/or strategies. Reproduction or distribution of this publication in any form without Gartners prior written
permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of
such information. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice
or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in
Gartner research. Gartners Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence
from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website,
http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.

A Smart Choice for a Mobile-Only Era Issue 10 19