Verizon: Android is a mess, but the mobile malware epidemic is a myth

Verizon's new DBIR (Data Breach Investigations Report 2015) says we've "got 99 problems, and mobile malware isn't even less than 1 percent of them."

Much to the chagrin of those selling FUD around the scary spectre of malware on your phone, or the coming IoT attack vector apocalypse, Verizon found that out of tens of millions of mobile devices, the number of ones infected with truly malicious exploits was "negligible," coming in at 0.03%.

(...) we stripped away the "low-grade" malware and found that the count of compromised devices was truly negligible. The benefit of working with [Verizon's] internal team is that we knew how many devices were being monitored.

An average of 0.03% of smartphones per week - out of tens of millions of mobile devices on the Verizon network - were infected with "higher-grade" malicious code. This is an even tinier fraction than the overall 0.68% infection rate (of all types of unwanted software) from Kindsight Security Labs' biannual report.

This backs up Google's findings in its Android 2014 Security Year in Review, released earlier this month, which found that fewer than 1 percent of Android devices had a "potentially harmful app (PHA)" installed in 2014.

See also: Zero Day Weekly: Cyber national emergency, GitHub and Slack nailed, Android malware less than 1 percent

No, $0.58 a record isn't the cost of a breach

Verizon's stable of smarties determined that the current formula for estimating the cost of a data breach - landing their preliminary estimate at $0.58 a record - isn't accurate.

Instead, Verizon took their initial methodology ($0.58 a record), Ponemon's methodology ($201 a record), and got "some real impact data based on actual insurance payouts, versus survey models," according to the report's co-author Marc Spitler.

Above: The red line is Verizon's initial cost per record ($0.58/record), the green line is using Ponemon's model ($201/record), and the blue dots are the updated formula, a new methodology that reflects contributing factors.

The result was a formula for estimating loss that follows the nonlinear behavior of the data, accounting for uncertainty when the record volume increases. "Said differently, there's a lot of stuff contributing to the cost of breaches besides the number of records lost," the report explained. "Said even differently-er, records tell us only half the story when it comes to impact."

With the new model, the average loss for a breach of 1,000 records is forecast to be between $52,000 and $87,000," Verizon adds, "with 95% confidence." As per the report, the cost of a breach of 10 million records is between $2.1 million and $5.2 million in the majority of cases, but could hit $73.9 million at most. A breach of 100 million records costs between $5 million and $15.6 million most of the time, with the possibility of hitting $199 million.

Across the board, Verizon found that the public sector is most at risk, followed by the tech sector, then banking and financial, with retail a close fourth (same as last year).

The report stated that this year, organized crime has become the most frequently seen threat actor for web app attacks, with financial gain being the most common of the primary motives for attacking.

Here, the ones suffering most are end-users. It's clear that mobile malware is both minimal and almost primarily a consumer problem - not an enterprise problem.

"One interesting sub-pattern distinguishes Financial Services from the rest," Verizon explained. "End-user devices were a factor in 82% of incidents and nearly a tenth of them involve some human element (phishing/ social). A look through the details of these incidents shows a common sequence of 'phish customer ≥ get credentials ≥ abuse web application ≥ empty bank/bitcoin account.'"

This push of burden to the consumer matches the way the Europay, MasterCard, and Visa (EMV) chip-and-PiN mandate goes into full effect in the U.S. in October 2015. Also noted in Verizon's report, "U.S. consumers who are eagerly awaiting the deadline may want to curb their enthusiasm just a bit."

The main change that is taking place is an invisible (to the consumer) shift in liability.

You'll still see mag-stripe readers a-plenty, and when there is an incidence of card fraud, whichever party has the lesser technology - merchants who haven't upgraded their terminals or banks that haven't issued new EMV cards - will bear the blame.

'We don't understand our adversaries'

Verizon's report took a surprising stance in its analysis, suggesting we're way off in categorizing attacks by industry.

The report stated that information sharing, compliance, and regulatory standards imposed on an industry level "may not be the best approach."

Elaborating, the report said that "our standard practice of organizing information-sharing groups and activities according to broad industries is less than optimal. It might even be counterproductive."

Maybe we don't understand the motives of our adversaries as well as we think we do.

Maybe cyber risk has more to do with business models or organizational structure or company policies than which high-level industry category one falls under.

Android: Less secure than having no phone

Android is crazy vulnerable, but not really being attacked. "Verizon Wireless data shows some 100 smartphones per week were infected, out of tens of millions of devices (mostly Android), for a 0.68% infection rate."

Overall, most infected Androids were hosting apps' adware and other "annoyance-ware," according to Verizon's report. Android is the biggest mobile target of them all, as "most of the suspicious activity logged from iOS devices was just failed Android exploits," the report said. The report also stated that targeted malware is king on PCs, rather than on any mobile devices.

In fact, they said Android "wins so hard" in the race to the bottom in security that most of the suspicious activity logged from iOS devices was just failed Android exploits. "So while we'd love to compare and contrast iOS to Android," Verizon said, "the data is forcibly limiting the discussion to the latter. Also, the malicious activity recorded on Android is centered on malware, and most of that malware is adnoyance-ware and similar resource-wasting infections."

The report added that "An average of 0.03% of smartphones per week - out of tens of millions of mobile devices on the Verizon network - were infected with 'higher-grade' malicious code."

Malware: Just unbranded adware?

Verizon's report noted the rise of adware while looking over its vast stores of device compromise and infection data.

Adware, they noted, aggressively collects personal information from the mobile device it's installed on, "including name, birth date, location, serial number, contacts, and browser bookmarks."

Like malware, the researcher pointed out, this data is often collected without users' consent. "In our review, we examined ad libraries in Android apps. Adware is an increasingly popular option for app publishers, growing from almost 300,000 apps in 2013 to more than 410,000 in the first three quarters of 2014 alone."

Across all organizations, five malware events occur every second - and most malware has lifespan of a fly. "95% of malware types lived for less than a month, according to Verizon's report, and four of five variants live no longer than one week. That data comes from the 170 million malware events studied in the report."

Special Feature

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

Read now

Nearly one out of four regular users (23% of all users) click on phishing emails. According to the report, "the median time to that first click is one minute and 22 seconds across all campaigns in the sample. "A campaign of just 10 e-mails yields a greater than 90% chance that at least one person will become the criminal's prey."

Disclosure feeds attacks. Verizon found that "Attackers were quick to turn around exploits after vulnerabilities went public in 2014: half of the bugs exploited last year were exploited less than a month after their disclosure."

Interestingly, the report noted:

• About half of the CVEs exploited in 2014 went from publish to pwn in less than a month.
• A CVE being added to Metaspoit is probably the single most reliable predictor of exploitation in the wild.

...and yet, the faster organizations share the breach information, the report said, the faster it's stopped. "75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). Over 40% hit the second organization in less than an hour. That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness."

Packed with dry wit and awful puns, the report cautioned everyone to hang on to that really awesome old patch collection. "We found that 99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published."

Verizon noted that "the tally of really old CVEs suggests that any vulnerability management program should include broad coverage of the 'oldies but goodies.' Just because a CVE gets old doesn't mean it goes out of style with the exploit crowd."

Keyloggers, however, are no longer in style. According to the report, "Back in 2010, malware was all about the keylogger, and we saw very few examples of phishing or RAM-scraping malware being used. Fast forward to today, and RAM scraping has grown up in a big way."

"This type of malware was present in some of the most high-profile retail data breaches of the year," the report noted, "and several new families of RAM scrapers aimed at point-of-sale (POS) systems were discovered in 2014."

More than 70 organizations contributed to the Verizon 2015 DBIR, itself a must-read overview report full of blistering puns and sobering points about the state of breaches as we know them.

That team encompassed service providers, incident response firms, international Computer Security Information Response Teams (CSIRTs), government agencies, and the security industry. The data looks at 79,790 security incidents worldwide, of which 2,122 were confirmed data breaches.

If you haven't read it yet, we highly recommend it - and if you're heading to RSA next week, you'll be glad you did.