According to a recent Kaspersky report covered by SC Magazine about mobile security, there was 3.3 times as many new malicious mobile programs in Q1 2015 than it did in the final quarter of last year.
I’ve taken from the article, the most important assertions made by Patrick Nielsen, senior security researcher at Kaspersky Lab;
Mobile ransomware saw a 65 percent increase in samples, and that mobile browsers accounted for 64 percent of mobile exploits.
The overall theme, from desktop to mobile, is criminal financial gain.
The whole software industry is moving toward browsers and “web tech,” so it makes sense that web tech is increasingly targeted,” Nielsen said. “The same functionality and portability advantages developers enjoy are also being enjoyed by cybercriminals. Browsers themselves are huge targets as well.
I have two points to add to this report.
Mobile browsers are less secure than their desktop counterparts – they offer zero protection against known, classified malicious URLs. Here’s a post I wrote about the lack of security inside mobile browsers, including a short video, demonstrating this very point.
There are millions of apps with the ability to display webpages – giving them browser-like capability. But again, they don’t have any protection against malicious URLs or unwanted content built-in. While iOS apps might be safer than Android apps thanks to a more strict review process, this doesn’t stop legitimate apps from exposing consumers through insecure WebViews. Here’s a detailed post I wrote about how WebView has weakened the TCB of the Web infrastructure.
I’m not entirely sure how long it will take for cybercriminals to realize the full potential of sharing malicious links inside apps like Twitter and Facebook, but what I do know, is that no security company aside from MetaCert, is focused on solving this problem by making it easy for developers to add a thin, but powerful layer of security to the apps during the build process.
The image used in this post is a screen shot of the Facebook iOS app where I was able to share a known, classified phishing website. While this URL is blocked by every mainstream desktop browser, it is not blocked by any mobile browser or app – unless protected by MetaCert with our Security API.