What we learned about mobile security from real-world mobile threat defense customer data

Malware installs remain low, sideloading is surprisingly high, everyone agrees phishing is a threat, but there’s little consensus on network threats.

By Kyle Johnson and Jack Madden

Over the past couple of months, we’ve been speaking with mobile threat defense vendors about their mobile security data. As we wrote when we started this project, we wanted to find out what mobile security statistics really mean.

We wanted to make reports easier to understand. As anyone who’s heard of the book “How to Lie with Statistics” by Darrell Huff knows, it can take a lot to unpack these things. And in particular, we were looking for metrics that came out of production customer user bases—not surveys, not looking at all the variants of some strain of malware out in the wild, etc.

Another interesting issue we found was data that reported the actual rate; for example: X number of incidents for Y number of users/devices over Z number of days) versus organizations that had at least 1 incident. Now obviously, it potentially only takes one incident out of 100,000 users over 10 years for a company to have a breach that results in big headlines, credit monitoring for all their customers, and restated earnings guidance. But, of course, this is all dependent on the nature of the incident; and while that happening to one company once could be bad, it still doesn’t tell us about the actual rate.

We spoke with Lookout, Wandera, Symantec, Zimperium, and Check Point, while also looking at Google’s most recent publicly available Android numbers. All five security vendors are considered leaders in the IDC Marketscape: Worldwide Mobile Threat Management Software 2018-2019 Vendor Assessment.

Check out each individual look at the data:

Malware

This is a tricky one. We see headlines all the time, but it’s hard to tell what to care about. Most malware is outside of official app stores, or involves state-sponsored spying on high value targets.

So what actually shows up in MTD customer user bases?

  • The lowest number we saw was from 2017 Zimperium data showing that about 1% of malicious software gets installed on mobile devices.
  • Meanwhile, the highest was from Symantec, which showed 7.07% of Android devices in customer organizations had at least one malicious app downloaded or installed.
  • Their data also showed that consumer devices were less secure than company devices, with 22.35% of devices with the Symantec app downloading or installing malware.
  • Check Point data showed that in 2017, the average number of malware attacks per organization was 54.

That malware is more often discovered on Android devices than iOS (though both do get it!) isn’t a huge surprise given how relatively open Android has historically been compared to iOS. However, Google continues to clean up Android and in their Android Security 2017 Year in Review (the latest one out as of this publication date), the annual probability that a user downloaded a potentially harmful app from Google Play was just 0.02%. Additionally, just 0.08% of devices only using Google Play to download apps had one or more PHA through the first three quarters of 2018.

The definition of what vendors and impartial organizations consider “mobile malware” is varied and another thing that sent us down this path in the first place. There’s also a wide variety of malicious software, from the well-known ransomware, spyware, and Trojans to the newer, like “generic malware” and cryptoware.

Interestingly, some malware variants appear to be trending out. While speaking with Check Point, Ran Schwartz explained that many types follow human trends. For example, cryptoware showed up once cryptocurrency took off, but unique signatures have dropped as interest waned. Same thing with ransomware. It remains an issue for PCs, but on mobile devices it isn’t as big a worry. Other than two months in 2018, Check Point data showed that new unique ransomware signatures discovered were down to 1 a month. For generic malware, though, every month in 2018, Check Point discovered over 1,000 unique malware samples. August and November were particularly busy, with 4,917 and 4,378 samples found, respectively.

Additionally, some vendors consider potentially harmful apps to be malware. PHA are apps that may be perfectly legitimate apps, but could potentially put users at risk. Some examples of PHA include apps that send personal data to overseas servers or apps that collect user info without consent. Highly regulated industries would need to be wary of PHA more than the average user due to potential regulatory issues these PHA could cause.

Mobile phishing and social engineering

Phishing on mobile devices remains one area that lacks consistent data; not all vendors started collecting data on it until more recently, limiting what they could provide. That said, everyone we spoke to agreed that in 2019, every organization should worry about mobile phishing and social engineering. High-profile mobile attacks like Pegasus had a social engineering element, as well.

In the interest of providing a better user experience, URLs get shortened; mobile web browsers hide the URL; and messaging apps may preview the webpage, effectively hiding the URL.

Vendors recognize the rising threat and have started to offer new mobile threat defense tech to better protect users and organizations. This also goes to show the value of multi-factor authentication, conditional access / zero trust, and user behavior analytics.

Lookout data showed that from Jan to Sept 2018, 56% of their users (a mixture of consumer and enterprise) clicked on a phishing link; and, since 2011 there’s been 85% growth per year. More and more bad actors use PunyCode to trick mobile users, with 5.16% of mobile phishing attacks containing PunyCode, according to Wandera.

Network attacks

We found this to be a mixed bag. On one hand, everybody says be careful with public Wi-Fi, and a Man in the Middle (MitM) attack could do a lot of damage. On the other, HTTPS is everywhere now, including in apps and websites; and the attack model is limited because the target has to be in range.

Also, vendors admitted that while they aim to only include data from verifiable attacks, it could also include things like content filtering customers may do on user devices. It can get tricky to separate the signal from the noise here.

Still, MitM attacks do happen.

  • Lookout data showed that about 0.08% of enterprise devices encountered an actual attack.
  • Wandera data showed that 4% of customers connected to risky hotspots each week.
  • Zimperium data from first half of 2018 showed that 2% of devices connected to what they called a rogue access point.

Sideloaded apps

If any statistics surprised us, it was here. Sideloaded apps are much more prevalent that we thought--and vendors discover them on both Android and iOS! Android has long allowed installation of apps from unknown sources, so it’s not a shock to find sideloaded apps there. While talking with Lookout and Wandera, it became clear that iOS devices can find and install sideloaded apps just as easily. One positive from this, though, is that fewer users feel the need to jailbreak or root their device.

The data from the five security vendors painted a similar picture that users definitely sideload apps, but it’s not yet that many.

  • Lookout data showed that between 2016-17, about 11% of iOS devices encountered a sideloaded app and in August 2018, 12.36% of Android devices had unknown sources enabled.
  • Wandera data showed that 2% of organizations have at least one jailbroken device and 1% have a rooted Android device (from a per-device perspective, it’s about 0.05% Android and 0.04% iOS).
  • Symantec data showed that 2.04% of iOS devices had at least one sideloaded app.
  • Zimperium data from Q3 2018 showed 10% of 200,000 devices had at least one sideloaded app, with many having more than one downloaded.

How are businesses with patching and OS updates?

Another area of vulnerability is how up to date devices are, whether that just means the latest OS update or security patch. Android patching has gotten a lot better, and is independent of OS updates.

The 2017 Android security review didn’t provide data around this, unfortunately; but we do have some older numbers to look at.

  • From the 2016 report, in the U.S. “over 78% of active flagship Android devices on the four major mobile network operators reported a security patch level from the last three months.”
  • Symantec data painted a slightly less positive picture, noting that 35% of Android devices did not have the latest update.
  • Wandera’s data showed only 3.71% of devices in organizations with 100 to 249 devices being out of date (their clients prefer to offer locked-down experiences, reducing the ability for users to let devices fall behind on patches).

iOS has always had better luck keeping users up to date with the latest patches, often including things that will get them to patch faster, like new emojis. Wandera-provided data showed that organizations with 1,000 to 4,999 devices had the highest out-of-date iOS devices at just 6.2%. Most enterprise organizations tend to deploy iOS over Android, so it’s nice to see such low numbers, showing IT works to keep mobile devices patched from the latest security vulnerabilities.

Last thoughts on mobile security trends

While there is a ton of malware out there, is there a reason to panic like occasional headlines might bait you into it? We think that the data implies that the answer is no. As mentioned above, a lot of malware follows human trends and so ransomware, as one example, appears to be on the way out. Generic malware remains popular with bad actors and definitely is a cause for concern, but overall little malware actually gets onto devices. So, users (and organizations, especially in highly regulated industries) should be cautious and prepared, but don’t go jumping at shadows.

What organizations should probably be more wary about is mobile phishing. Mobile phishing might be the biggest threat given that it can come from SMS, messaging apps, and email and might be the hardest to combat on its own. On mobile devices, bad actors can more easily trick users into believing the URL they click on is real and not spoofed. Google’s Chrome security team wants to combat this by making it easier to determine legit URLs from malicious ones.

We still remain surprised just how easy it is to sideload apps onto iOS and wonder if the numbers stay low more due to users being unaware versus MDM-installed prevention. This may change soon with all the recent fervor around Google and Facebook abusing enterprise certificates. Sites like TechCrunch have taken the opportunity to report how what the two tech giants were doing isn’t uncommon and how many options users have at their fingertips to get third-party apps that are a mix of pirated, pornographic, and beyond. We’ll watch this space to see if Apple cracks down or makes any other moves.

Lastly, we want to give a big thanks to everybody who spent time providing data and answering our multitude of questions! Most of the security vendors we contacted were willing to provide data and answer all of our annoying questions.

Dig Deeper on Mobile security