Fear sells. Whether you’re hawking handguns or security software, scaring the bejesus out of your potential customer base is often a winning ploy. It’s no accident that security vendors, consultancies, and their page-view-hungry handmaidens in the blogosphere are quick to report every real or imagined threat and the exorbitant costs of breaches that might coax money out of a consumer or in-house security staffers.
Case in point: the supposed vulnerabilities of smartphones, tablets, and mobile payment system to hackers. Type “mobile security threat” into Google and you’ll get 206,000 hits.
But you’d have to dig very, very deep into that humongous store of Web pages to find actual examples of serious mobile exploits -- because there are almost none, according to Verizon's 2015 Data Breach Investigations Report, which includes data and commentary from 70 security firms in addition to Verizon's own data.
After looking at data on millions of devices monitored by Verizon, the authors write, “When we stripped away the low-grade malware and found that the count of compromised devices hung around 100 smartphones per week."
Compare that reality to the barrage of scary pronouncements about potential vulnerabilities in Android and, less frequently, iOS. Of course, real threats are out there, and the 69-page report points IT staffers to threats they should worry about. To be clear, the report’s section on mobile threats is focused on device security -- not the massive intrusions into networks carried out by the NSA and other agencies.
The truth: Very few mobile devices have malware
Apple's App Store has had very few malware apps in its seven years of existence, but Google's mobile operating system has long had a deserved reputation for an app store full of malware. However, in the past couple years, Google has cleaned up its Play Store and put in more stringent malware checks for new apps.
The Verizon report shows the effort has paid off: Verizon counts about 100 malware-infested mobile devices a week in its network monitoring. Keep in mind that Verizon has more than 40 percent of the U.S. market, so these figures equate to about 250 malware-infested mobile devices per week across all U.S. carriers.
Few of those exploits are particularly serious; nearly all of the intrusions were annoying adware, not pernicious agents. An average of 0.03 percent of smartphones per week -- about 100 out of tens of millions of mobile devices on the Verizon network -- were infected with “higher-grade” malicious code.
The malware found tended to be very short-lived. “Even though we looked at data just over a six-month period, 95 percent of the malware types showed up for less than a month, while four out of five didn’t last beyond a week. This could be from the malware piggybacking on the short-lived popularity of legit games and apps,” the report states.
The authors of the report are not saying that mobile devices can be ignored as a potential threat. “Mobile devices have clearly demonstrated their ability to be vulnerable. What we are saying is that we know the threat actors are already using a variety of other methods to break into our systems, and we should prioritize our resources to focus on the methods they are using now.”
Keep in mind that Verizon analyzes U.S. cellular traffic. The situation in many other countries would be very different, since users there routinely use non-Play Store apps. In fact, many devices can't access the Play Store because they use a forked version of Android, such as in China. Apps from outside the official Google app store are very likely to contain malware, other research has shown.
When it comes to those real attacks, Android “wins”
It’s not news, of course, that there are many more attacks on Android devices than on iOS devices, but the magnitude of the difference is surprising.
“Before we get too far, let's just get this out of the way now -- Android wins. Not just wins, but Android wins so hard that most of the suspicious activity logged from iOS devices was just failed Android exploits,” the Verizon report states. Roughly 96 percent of mobile malware was targeted at the Android platform.
Android's real risk is data-sucking adware
Although Android is no longer the malware magnet it used to be, it remains an adware magnet, Verizon says, with tens of thousands of apps that suck up user information without the user's knowledge.
Such adware, the report notes, aggressively collects personal information from the mobile device it's installed on, "including name, birth date, location, serial number, contacts, and browser bookmarks." Like malware, this data is often collected without users' consent. "In our review, we examined ad libraries in Android apps. Adware is an increasingly popular option for app publishers, growing from almost 300,000 apps in 2013 to more than 410,000 in the first three quarters of 2014 alone."
Still, such adware is not a corporate threat but a personal one -- unlike malware.
Breaches don't cost companies as much as you think
The Verizon report casts doubt on another bit of conventional wisdom as well: It turns out that the methods used to compute the average cost per record lost in a data breach are wildly inaccurate.The simplest and most common way to figure the cost per record of a data breach is to simply divide the total estimated loss by the number of records. The problem, say the authors, is that the true relationship is more complex.
Verizon used real-world data collected by NetDiligence, which partners with cyber insurance carriers to aggregate data on cyber liability insurance claims. When they applied the typical mathematical formula to that data, the cost per record was 58 cents, an absurdly low number compares to widely quoted estimates of about $201 per record in 2014 and $188 the year before.
The Verizon authors say they have come up with a better, though hardly perfect, method that avoids the wild disparity in cost estimates. In their calculations, the actual cost of a breach is between $52 and $87 per record, depending on the amount contained in those records.
That method is complex, and I don’t claim to fully understand it. But I am convinced we’re being fed a good deal of misleading hype about security and this report is a refreshing reality check.