Practically every security expert Security Watch talked to had something to say about the increasing volume of attacks against mobile devices. Android won't be the only one under attack, but iOS, Windows Phone, and BlackBerry, too. Trend Micro estimated that malicious Android apps will reach 3 million in 2014.
What's different about 2014 is that attackers will expand their arsenal to include new types of malware and other types of attacks against mobile devices, said Wade Williamson, senior security analyst at Palo Alto Networks. For example, attackers will also include mobile devices in their advanced persistent threat (APT) campaigns, especially since they will be able to use GPS location to pinpoint the target's physical location.
We've seen USB devices used to infect computers and in 2014, we will see criminals using mobile devices to carry out attacks. For example, they can use smartphones to gain access to computers over a WiFi network, said Jason Frederickson, senior director of application development at Guidance Software. Once connected, the attacker can infect the computer and all other devices on the same network, he said.
Ransomware Goes Mobile
There will be new types of mobile malware as cyber-criminals figure out new ways to monetize attacks against mobile. Ransomware will target Android devices in 2014, said Neil Cook, CTO of Cloudmark. Ransomware such as Citadel and CryptoLocker locked up infected machines and warned users that the computer will remain unusable until they paid a ransom. CryptoLocker encrypted the data on the machine, which meant even if the actual malware was removed, the data remained unavailable. This tactic proved to be highly effective in 2013 and will likely continue in 2014, with a few new twists.
Mobile ransomware will be slightly different from the variant targeting computers, Cook said. Most data stored on mobile devices are usually synced with some kind of cloud service—images on iCloud, contacts on Google's Gmail servers, documents stored in cloud storage—which means locking up the data on the mobile device wouldn't be as catastrophic as it would be on a computer.
It seems more likely that mobile ransomware will lock up the device on the hardware level, rather than targeting the data. While the data itself is fine and they would be able to just re-download their apps and information onto a new device, many people may prefer to pay the ransom rather than cough up hundreds of dollars for a new device.
Mobile Banking Fraud
SMS will attract more phishing attempts, especially targeting financial accounts, Cook said. There will be an increase in SMS messages sent to business phones as part of a spear phishing attack. SMS spam will push mobile malware onto user devices, which can result in private, confidential personal and financial information being exposed.
Trend Micro also suggested that two-step verification mechanisms used in online banking will become inadequate as cyber-criminals boost their man-in-the-middle attacks against mobile devices.
"Mobile malware will become more profitable for scammers," Cook said.
Security as a Competitive Edge
It's not all doom and gloom for mobile. With increased focus on data protection and online privacy, smartphone manufacturers will begin to compete on security, said Paul Kocher, president and chief scientist at Cryptography Research. Instead of focusing on just phone thinness or screen size, buyers in 2014 will consider how safe the apps are, whether data would be protected, and which devices wouldn't compromise security.