Is mobile malware really the gigantic business threat it is made out to be by numerous security firms? If it is someone should tell Verizon’s researchers who have once again struggled to find any to talk about in the firm’s 2015 Data Breach Investigations Report (DBIR).

The DBIR is accepted as probably the industry’s most comprehensive take on real-world data breaches, security incidents, malware types, and attack vectors, compiled from Verizon’s large mobile user base, extensive list consultancy customers with contributions from 70 global security agencies, including huge Internet firms, national CERTS and even the US Secret Service.

Security hacker magnifying glass1

If mobile malware is out there, Verizon is probably the best qualified firm on earth to see it, and yet the it devotes an entire chapter of the DBIR to a mostly fruitless search for evidence that mobile malware is being used on any scale to breach organisations.

After running eighteen passes or more on the data the best the firm can say is that from tens  of millions of smartphones connecting to its network each week around 100 showed evidence of serious malware, almost exclusively on devices running Android.  That’s a fraction of a fraction of one percent of all threats at most. The rest of the unwanted applications it noticed it rated as bascially low-grade nuisance applications.

“We chopped, sliced, and flipped the data more times than a hibachi chef,” said the report as if to emphasise the effort the firm went to find mobile threats.

Relating that to the 2,122 real-world breach reports and nearly 80,000 security incidents fed into its database for 2014, the firm said that mobile devices were involved on only very rare occasions.

“When we’ve looked for these devices we’re not seen them in out breach data,” confirmed Verizon risk team principal and report co-author, Jay Jacobs.

It’s a head-scratcher perhaps but Jacobs is adamant that as far as larger organisations are concerned this is an over-rated threat.

“We see that it’s a weakness, we know that users can be duped. But we’re just not seeing it. Back off the hype a little bit. Mobile is not a pattern,” he said.

“Most of the malicious software is annoying for the consumer. But when we filtered this out there was a tiny fraction that had malicious software on it.”

The mobile malware that is out there is overwhelmingly opportunistic, short-lived attacks designed to mine a quick profit or grab some traffic, or push advertising through adware apps.  Four out of five attacks don’t last beyond a week and 95 percent were gone within a month.

Jacobs is not saying that mobile malware doesn’t exist, nor that it is not a risk for consumers. But so far almost none of it is being used as part of the large number of detected attacks on organisations his firm deals with each year.  

Verizon’s takeaway is that organisations should prioritise defending themselves from the other attacks are working and stop worrying about attacks that will probably only materialise when mobile has been fully integrated into business.

Meanwhile, back with the breach reports that have made the DBIR such an annual event suffice to say that the 2,122 confirmed in 2014 across 61 countries was significantly up from the 1,376 in 2013. This is largely down to the expanded list of organisations contributing reports of real-world incidents – 70 against 50 -although it is also possible that as a record year for disclosed breaches, the rise is real too.

It is striking, however, that other aspects of data beaches have stayed almost the same from year to year in the DBIR with the balance of external actors staying around 85 percentage with most of the rest internal staff and a tiny segment by or through partners. There is also evidence that breaches are taking longer to detect over time, usually more than a few days.

Another theme is the insane problem of patching with only ten Common Vulnerability and Exposures (CVEs) accounting for 97 percent of the exploits seen in 2014. Many vulnerabilities are also exploited with a month of being made public, which means that public disclosure is a good indicator of the flaws that should be addressed most urgently, Verizon said.

With old flaws aplenty to choose from, "apparently, hackers really do still party like it’s 1999.”