Malware, at least as an idea, has a long history. As far back as 1949, applied mathematician John von Neumann formulated a theory of self-replicating automatons, which proved prescient when technical implementations of it became feasible in the 1970s and 1980s. In 1971, computer scientist Robert Thomas created a program called Creeper, which was designed to be an application capable of jumping from one machine to the next. Although it technically did no damage, its design essentially qualified it as the first computer virus.
Malware yesterday and today
Since those early days, malware has proliferated and found its way onto PCs, servers, smartphones and tablets. Moreover, the rise of the Web has made malware distribution and amplification almost trivial, especially compared to the days when the only channels were removable media (i.e., floppies and optical discs) and computers connected the early Internet at a few institutions like the Massachusetts Institute of Technology. The Morris Worm from 1988 was a trailblazer in Internet distribution, which necessitated a brief partition of regional networks in the U.S. and hinted at what was to come.
As we approach 2015, malware is far from a solved cybersecurity issue. If anything, the growth of broadband networking and ubiquitous IP-enabled devices has pulled off the impressive feat of simultaneously raising the stakes for security and affording cybercriminals a wider range of attack options for going after them. Data that was once confined to filing cabinets or Microsoft Excel spreadsheets on a local hard drive is now globally distributed. Everyday interactions such as credit card payments or updating information in an online account are subject to constant pressure.
With that in mind, let’s look back at a where malware went in 2014 and where it may be going in 2015. Web and mobile attacks merit particular attention on this front.
Mobile malware had a big year in 2014
This past year marked a milestone in mobile malware, not only because of the characteristics and overall scale of the threats that emerged, but also because it marked roughly ten years since smartphones became common targets for infection. While the smartphone market wasn’t that large prior to the iPhone’s launch in June 2007, there were devices in mainstream use that attracted the attention of testers and cybercriminals.
The Trend Micro document “A Brief History of Mobile Malware” outlined how, for example, in 2004 a worm was developed for Symbian phones. It was a proof-of-concept that could spread via Bluetooth. A decade – and millions of mobile apps – later, we have more complex issues to wrangle with, such as:
- Third-party app stores: On Android in particular, unofficial distribution channels remain an issue. The year kicked off with some high-profile fakes of the hit game “Flappy Bird” available outside of Google Play. In March, Trend Micro’s Ryan Certeza highlighted the broader dangers of mobile devices being enlisted into botnets via unsecured app downloads. By December, third-party storefronts were still problematic, as highlighted in Trend Micro TrendLabs Security Intelligence post about a component that downloaded additional apps to an infected device.
- Imposter Wi-Fi hotspots: Free public Wi-Fi continues to spread, with the number of hotspots potentially approaching 6 million in 2015. Service providers like AT&T and Comcast offer complementary services in many locations, but the old saying about there being no such thing as a free lunch is worth remembering here. In June, Ars Technica documented how easy it would be to spoof a large carrier and gather data from a mobile device, especially since smartphones and tablets typically try to automatically connect to any known Wi-Fi network. There are thousands of hotspots named “xfinitywifi” and “attwifi.”
- Financial malware continued to come into its own in 2014. Zeus, one of the longest-lived Trojans that targets banking accounts, continued to evolve. It was spotted as a payload in targeted email campaigns that used messages containing no typos or unusual formatting. A URL in the email would direct the recipient to Zeus, demonstrating how sophisticated and high-stakes email phishing has become. Also on the financial front, Bitcoin wallet theft emerged as a novel form of cybercrime and may have accounted for 14 percent of all financial attacks.
Enterprises should be aware of where they could be vulnerable to mobile malware and take common sense steps for reducing risk, such as utilizing endpoint security and articulating clear bring-your own-device policies. Although there is an incredible variety of mobile malware that works at least in concept, it’s important to be level-headed and not become paralyzed by fear.
“In some ways, mobile malware is the Ebola of security,” observed a Damballa blogger in the first entry in a company series on 2015 cybersecurity predictions. “Once infected, the danger is real. But the actual risk of infection is low. If we don’t let [fear, uncertainty and doubt] get the best of us, and we stay diligent about practicing safe device use and management, we can keep that risk low.”
Stakes rise for Web attacks as year draws to a close
Mobile malware, like the mobile space is general, is still young and rapidly changing, so it will take a while until everyone has a mature risk mitigation strategy. The Web, though, is a much older creation and one that continued to be the subject of numerous high stakes attack in 2014:
- One security firm estimated that over one-third of computer users had been subject to Web attacks in 2014.
- Distributed denial-of-service attacks reached new heights this past year, with record-breaking attempts against firms like CloudFlare.
- The Sony Pictures breach showed what could happen when a relatively soft target was overwhelmed by pressure and potentially caught between nation-state actors.
Going into 2015, network security merits plenty of attention in light of the state of Web attacks. Staying ahead of attackers is difficult since it often involves playing defense, but organizations can be proactive with the help of deep discovery and cybersecurity software. Setting priorities – e.g., knowing how much of a threat mobile malware really is – will be key in putting together technical solutions and business strategy.