Because of their popularity, vulnerability and the potential payoff, it’s no secret hackers target Android devices. For several years now, Google’s open-source Android software has powered about 85% of smartphones sold worldwide. These powerful computing devices store and process huge amounts of sensitive personal and corporate data, including confidential documents, access credentials, and email and SMS correspondence.
For organizations that have a BYOD InfoSec policy or use corporate Android phones, malware is of significant concern. Yet, according to the latest study from Verizon, despite citing BYOD as a top concern, only 14% of SMBs have any form of mobile phone information security policy in place.
Most cyber attacks on Android smartphones are launched via malicious apps, clicking on malicious links in emails, or by connecting to an infected system via USB. “Rooter” malware can give cybercriminals full remote control of an Android device, including access to your business network when an infected device connects to it.
Further, smartphones are storage devices and are just as susceptible to becoming infected and transferring malware via USB as other such devices. Similarly, when a user plugs a smartphone into a laptop or desktop system, malware can move from the phone to the PC or vice versa.
How SMBs Can Reduce the Risk
How can you mitigate the risk to your data and applications that Android smartphones represent? Here are five key InfoSec approaches that can significantly reduce risk and require minimal resources:
One: Update or replace older smartphones
A huge percentage of Android phones are running an out-of-date mobile operating system version, largely because it is up to the hundreds of manufacturers to update their specific phones. Many people don’t even know their OS version is outdated. Further, telecom companies have no incentive to push out manufacturers’ updates for older devices that they want you to replace. The older an Android phone is, the more likely it is to be running an out-of-date OS full of known security holes. A phone over two years old is probably past “end of life.” You may be able to update some older phones; others you’ll need to replace.
Two: Adopt a mobile device management solution
Fortunately for SMBs, more and more mobile device management (MDM) apps are available, and nearly all of them support Android. These apps help secure the corporate network and keep personal and business data separate while facilitating a BYOD policy. For example, an MDM solution can enable you to check whether all the smartphones (Android, iOS, Windows and Blackberry) on your network are running the latest OS version.
Three: Install mobile anti-virus
Besides mandating updates and adopting MDM, SMBs can also require anti-virus software for Android users. The best of these will not just run periodic scans, but also actively try to block malicious content from being opened or downloaded. Other features include call blocking and firewalls. Even some freeware versions are effective. Of course, implementing MDM would be essential to policing an anti-virus policy.
Four: Permit only Google Play Store apps
Downloading apps from sources other than Google is a primary way that Android phones are infected with malware. (Though some malware even sneaks past Google, and a number of Android phones have been found with malware pre-installed on them.) Prohibiting the use of apps from non-vetted sources on your network will help avoid many threats. This, in combination with anti-virus and keeping phones updated, all enforceable via MDM, creates a strong strategy that requires minimal resources to implement and maintain.
Five: Educate users
As with any security program, user education and awareness around safe usage practices is critical to keeping malware off Android phones. In fact, most Android malware requires the user to make at least one and often two “wrong moves” in response to requests, like giving suspect apps high-level access permissions. The best technical controls are of little value if your users keep blundering into harm’s way. Savvy users, meanwhile, can block many threats.
For guidance and expert support around MDM, mobile technical controls, and mobile cyber security awareness, contact Pivot Point Security.