<p>Android devices are more vulnerable than they should be and the mobile threat landscape has just got a lot more worrisome.<br><br>Until relatively recently, mobile malware wasn't that different from early PC malware - It was annoying, it probably invaded your privacy, and it took a toll on system resources but it wasn't especially dangerous or costly in the way that modern weaponized malware used to attack PCs, servers, and point-of-sale systems was. And just as early malware primarily targeted a single OS (Windows), mobile malware remains almost exclusively a problem for Android. However, it appears that Stagefright has served as something of a wakeup call for the industry - Android devices are more vulnerable than they should be and the mobile threat landscape has just got a lot more worrisome.<br><br>Stagefright, though, is actually an Android library that is deeply integrated into the OS. Any unpatched device running Android Version 2.2 or above is potentially vulnerable to exploits that require no user intervention to run. Users simply need to receive a crafted multimedia message which can enable transparent remote code execution.<br><br>Well, folks, the landscape has started to shift. Mobile devices are ubiquitous on corporate networks and, by their very nature, come and go between highly vulnerable and relatively safe environments. More importantly, though, because most mobile devices are at the mercy of carriers and vendors for their updates, administrators and users often aren't able to provide security patches in a timely manner. As Stagefright in particular has highlighted, fragmentation in the Android market is especially concerning. Google has committed to updating their flagship Nexus devices on a monthly basis now, but these represent only a small fraction of Android devices on the market. Samsung and LG are also prioritizing security updates but the process for packaging updates to their Android devices and then distributing the updates through the major carriers has always been long and complicated. Unpatched security holes are the norm, unfortunately, rather than the exception and the heterogeneity of user devices further complicates management in BYOD and corporate deployments.<br><br>Android has become a viable vector for a variety of attacks against both end users and organizational targets. But if neither users nor administrators can count on timely security updates in the way they can with desktop operating systems, what's the solution? Only use Nexus devices? Stick with iOS? Abandon BYOD? None of these are especially attractive options, but organizations need to give much more careful thought to mobile security as the threat landscape continues to evolve.<br><br>At the same time, layers of security remain the name of the game. This doesn't just mean the use of endpoint security or firewalls (although those are critical components). Setting policy about the types of allowed devices, for example, can increase security without being overly restrictive. For example, versions of Android above 4.0 have some internal mitigation measures that help protect against the Stagefright vulnerability even if the device hasn't been specifically patched to prevent related exploits. It is completely reasonable for employers to require devices running Android 4.0 and above as part of their BYOD policies. The use of robust security appliances can also prevent data exfiltration and communication between mobile malware and C&C servers even if individual devices are vulnerable to attack.<br><br>When it comes to mobile devices on a network, the best advice is to strive first for visibility and second for control. Visibility enables awareness, which will come in handy when the current landscape starts to shift. Control should put you into a position to react quickly.<br><br>Mobile devices have clearly demonstrated their ability to be vulnerable. Point-of-sale systems, servers, and applications are routinely compromised and it's time that we add Android devices to our growing attack surface that we protect with the rigor and vigilance of systems that don't fit in our pockets.<br><br><em>The author, Rajesh Maurya, Country Manager, India & SAARC, Fortinet</em></p>
