How to stop mobile Malware before the damage is done

The proliferation of mobile devices has given cybercriminals a vast and growing new ecosystem to work with. And they’re starting to take advantage of that opportunity. According to McAfee’s Threats Report: Fourth Quarter 2011, the number of mobile malware samples jumped from less than 150 in the third quarter of 2011 to well over 400 in the fourth quarter.

“Cybercriminals are going for [mobile] because people put a lot of identifying information on their devices,” says Karim Hijazi, Founder and CEO of Unveillance, an IT security intelligence provider. “But that’s a scary mistake because devices are actually more vulnerable.”

Between the characteristics of mobile devices that make them easy targets to the careless way that most users handle security on them, the mobile landscape presents a vast, simplified attack surface for cybercriminals to exploit. Here’s what you need to know to avoid being a victim.

The soft underbelly of mobility
The relative newness of the mobile market combined with its rapid growth has created two distinct vulnerabilities. The first is that neither security awareness nor available technologies have caught up to the market to protect devices. Second, apps are being developed at record speed to feed voracious user demand, and hastily written code is typically fraught with security holes.

On top of that, an increasing number of apps rely on access to browsers in order to run, but mobile browser platforms aren’t as hardened yet through use, trial and error. So security isn’t being built into the apps or the browsers on which they run (yet).

Small screen sizes are another factor. Users may accidentally click on links or emails they intended to delete due to the finger-to-text-size differential, a phenomenon known as “fat fingering.” Also, small screen sizes may hide some of the signs that might typically signify a lurking danger, like overly long URLs or a lack of identifying credentials on a site.

Types of mobile attacks
The methods for attacking mobile devices are surprisingly run-of-the mill. But this makes sense if you accept the prevailing theory that the lines between smartphones, mobile devices and traditional computers are blurring more and more.

Email: The same rules apply to email on mobile devices as on laptops and desktop computers. Don’t open unknown emails and click links in them. You could end up on an infected website that loads malware onto your device.
Browsing: Surfing the unknown Web can infect your device. Known as a “drive-by infection,” malicious sites lie in wait for web traffic to come cruising by, then load malware onto their visitors’ devices. You could end up on an infected site by clicking an unknown link in a display ad or even from a list of search results.
Apps: Some innocent-looking apps may appear to be providing a simple convenience, but have insidious intent beneath the surface. Tricky coding in malicious apps can open a backdoor to your device and transmit your data back to another location. A more sophisticated app may even open a reverse proxy and gain access to your device’s file system.

Mobile security best practices
You can better secure your device using a number of strategies—and most of them have to do with your own habits around how you treat your device.

“If you can get in the mindset that your device is just as subject to infection as anything else, that’s step one,” advices Hijazi. With that in mind, Hijazi offers the following advice:

Do unto your device as you would unto your laptop: Basically, follow the same precautions around unknown emails, links or websites as you would when using your laptop or any other computer.
Avoid unfamiliar wireless networks: Many people log into the nearest Wi-Fi connection to avoid racking up data minutes on their plan. But this behavior exposes your device to a murky pool of unknown users. Broad public connections, such as at an airport waiting lounge for example, have no security protocols in place, so it would be very easy for anyone lurking nearby with a device to spy on your activities and maybe even harvest some data.
Don’t plug your device into any old computer (and vice versa): Keep in mind that many mobile devices are also storage devices. The same precautions that apply to unknown USB sticks apply to devices. You could unknowingly infect a computer even though you were just plugging in for a quick charge.
Don’t download any old app: Look into prospective apps before downloading them to your device. User reviews are a good starting point. Conduct a web search on the app developer to be extra cautious.
Turn on installation password protection: Don’t allow your device to download anything without your permission. Turn on download alerts and designate a password for all installations.

Security technology will undoubtedly catch up with current threats to mobile devices. However, no matter how sophisticated the attacks or security technology becomes, the most important factor in maintaining security on a mobile device will always be user behavior.