In its annual breach investigations report, Verizon suggests that the threat of mobile malware for phones and tablets is much less than the providers of mobile security products would have us believe.
Contrary to claims from companies like Lookout that provide mobile security solutions and who have for years warned about the rapid and massive growth of mobile malware, Verizon found virtually no iOS malware for iPhones or iPads in the data it examined from Verizon mobile customers last year, and virtually no Android malware either.
“We’re seeing that the exploits just aren’t happening,” Bryan Sartin, head of Verizon’s RISK team told reporters in a phone call today discussing the company’s annual Breach Investigations Report.
As you might guess, Verizon’s annual report card is rarely optimistic—and, in fact, this year was mostly no different: one major finding of the report suggests that the time it takes for hackers to get into a system and siphon data, on average, is mere minutes and seconds. But this mobile malware finding serves as an unexpected bright spot. In a section of the report titled, “I’ve Got 99 Problems and Mobile Isn’t Even 1% of Them,” Verizon says although it found hundreds of thousands of malware infections for mobile devices, most of them were simply annoying adware programs. The really big mobile threats didn’t materialize.
“The reality was when we talk about really truly malicious [code], it was really 0.03 percent of Android devices per week,” Sartin said during the press call. “That’s a blip. That’s virtually nothing.” And the Android malware they did find far outnumbered any that targeted iOS devices.
Although Verizon’s dataset was limited—it involved just six months worth of data from Verizon Wireless customers and the tens of millions of devices they use to connect to the Verizon network—the authors of the report note that their findings are consistent with the analysis of other forensic firms like FireEye who also say that mobile devices just don’t show up in their forensic investigations. “This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone,” the Verizon authors write.
Despite the fact that serious vulnerabilities have been found in mobile devices over the years, Verizon found little evidence that attackers were actually releasing exploits to attack them—for now. But this means, Sartin said during the press call, that companies have an opportunity to stay ahead of mobile attackers if they act now to secure and monitor their devices before the mobile attack waves strike.
But mobile security firm Lookout says that Verizon and other forensic firms likely don’t have the infrastructure or controls needed to properly detect mobile malware.
“It’s unsurprising that enterprises haven’t seen the more concerning, targeted threats because few of them actually have the mobile security controls in place that would detect these,” said Lookout CEO John Hering.