HackSurfer reports on the sorry state of cyber security on the Android platform where 1 in 10 apps contains malware. Yikes.
You read that correctly: 10 percent of Android apps are malware. Over the last few years, cyber criminals have realized how much easier it is to hack Android (as opposed to iOS and other platforms) and have focused their attention on the Google mobile OS. In 2011, the amount of mobile malware on Android more than doubled. In 2012, it grew by over 600 percent.
It's easy to get spooked by data like this, so let's take a closer look at…
- Which Android versions are most vulnerable.
- Where malware is most common.
- How to protect your clients from mobile malware threats.
- What IT consultants can do to guard against their risk of a data breach lawsuit.
But before we get into the details, we'll look at a recent example of an actual attack on Android users that tricks a phone into coughing up financial info and other supposedly secure data.
"Fake ID" Malware Tricks Mobile OS
According to AppleInsider, this week at the BlackHat security conference, BlueBox researchers demonstrated how malware was able to trick Android. The so-called "Fake ID" malware uses spoofed credentials to gain access to smartphones, steal data, and install other malicious software.
The malware sends a fake credential to the mobile OS. Because of a flaw, Android can be convinced that the credentials are real, so it allows malicious users to access data for which they would normally need a password.
Though Google patched the flaw, it hasn't been able to eliminate it on all versions. Cyber criminals often gain access through Adobe flash. Even though Google has removed Flash from new devices, many manufacturers and older devices (e.g., Galaxy Nexus) need Flash. These devices are still at risk.
Why Do Hackers Target Android Phones?
A Forbes article offers another devastating number about Android: 97 percent of all mobile malware is for Android. Why is there so much malware on Android? Consider the following:
- Because users can download Android apps from pirate sites and third-party locations, it's easier for cyber criminals to post malware-infused apps.
- Fake games or repacked games on third-party sites are among the most common sources of malware.
- Google's OS operates on a wide variety of devices, and as the Fake ID malware showed, even when Google updates Android, some of the updates won't work on certain manufacturers’ devices.
Add up these problems, and it's easy to see why Android is the preferred target of hackers.
How Can IT Consultants Protect Client Android Devices?
Mobile device security is made more difficult by the fact smartphones are often used for both personal and professional tasks.
More and more small businesses have BYOD workplaces where employees bring their own devices (phones, tablets, laptops, etc.) to work. The problem occurs when an employee logs on to the company network. Suddenly, any malware they have on their personal, non-secure device can spread to your client's network.
To address their client's cyber risks, IT consultants should advise their clients to do the following:
- Don’t download from third-party locations. Only download Android apps from the Google Play store.
- Avoid open Wi-Fi connections. 22 percent of routers used simple passwords and 68 percent use the manufacturer's default password, which makes them vulnerable to cyber attacks.
- Update mobile software and OS. More than half of attacks occur on Android 4.1 and 4.2.
- Spread the word. Teach employees about the importance of these strategies.
Because small businesses can save money by having employees use their own devices, BYOD workplaces will continue to persist, even if they come with all kinds of risk.
Unfortunately, that means as an IT consultant or tech contractor, you will continue to be exposed to data breach lawsuit risk.
IT Insurance Coverage for Cyber Attacks on Client Computers
As the party liable for securing your client's network, you can be sued for data breaches and malware attacks, even if the attack came from an employee's personal device. When an IT contractor is sued over a data breach that occurred on a client's network, Errors and Omissions Insurance can cover legal expenses and settlements or judgments.
Given the BYOD risk and the fact that mobile malware has been increasing at an alarming rate, it's smart for IT consultants to protect their businesses with adequate coverage. For a free quote on E&O Insurance, submit an online insurance application.