A memo sent to Police, Fire and EMS personnel nationwide from the FBI and Department of Homeland Security earlier this summer, was recently made public. According to the memo, the Android operating system is the primary target for mobile malware attacks. At face value, this would not be surprising given that Android commands ~ 80% market share in the US, so should proportionally experience the largest number of malware attacks. However, the same report says that iOS was targeted < 1% of the time, which is well below Apple's market share. So, what's the difference?
The real insight comes later in the report. “Industry reporting indicates 44% of Android users are still using versions 2.3.3 through 2.3.7 – known as Gingerbread – which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.” Rapid7's mobile customer database shows that 49% of Android devices contain at least one high severity vulnerability, aligning closely with the % of devices with older versions of OS still running on them.
So, the most effective way for organizations to eliminate these vulnerabilities is to ensure all employee devices are updated to the latest OS version. However, because the mobile ecosystem is so complex and OS updates require coordination between handset manufacturers, OS vendors and carriers, these updates can sometimes take months to deploy and create large windows of risk. Even the ACLU has gotten involved, accusing the major US carriers of deceptive business practices due to untimely updates of Android devices. See our previous blog on this topic.
Rapid7 has an answer to this problem. Our Mobilisafe mobile risk management solution makes it easy for organizations to help their employees update their devices. Mobilisafe identifies the mobile devices connecting to organizational data, and assesses each device for its vulnerability risk and if they are eligible for an OS update. For those devices that can be updated, Mobilisafe automatically sends emails to the employee, with direct links to the OEM site where the device update can be completed. Policies can also be created that block devices from accessing organizational data if the update is not completed within a set period of time.