How mobile antivirus software works and how to know if you need it

Whether you require users to have mobile antivirus software on their devices depends on how much control you have and which devices workers use.

There are plenty of ways to prevent malware on mobile devices, but whether your workers need mobile antivirus software depends on how much control you have over the devices and which ones workers use.

Antivirus on a PC is an enterprise standard, but many mobile workers don't have it on their smartphones and tablets. It's a requirement for PCs because there are numerous applications, runtime engines and operating system attack vectors to worry about. Plus, many PCs are always on and connected to the Internet, making malware and viruses a round-the-clock threat. This is why antivirus software is centralized and IT-managed, and it's required to be up to date before users can connect to a corporate network.

Up to this point, the same antivirus requirements have not applied to mobile devices. Smartphones and tablets are built on newer, Internet-aware platforms that take modern threats into account. For example, most mobile devices don't support Java runtime engines and Flash. Additionally, workers usually download apps from app stores rather than undesirable outside sources. Smartphones also receive fairly regular updates.

Still, the ubiquity of smartphones, the trust that people put into the platforms and the interconnected nature of users' work and personal lives make mobile malware the next frontier for cybercriminals. There is plenty of proof: The MisoSMS botnet collected text messages from Android devices in Korea and sent them to Chinese hackers via email. Another malware campaign customizes bots into popular-sounding games that, once installed, send text messages costing up to $20 each. A Juniper Networks Inc. study (PDF) showed that Android malware rose 600% in 2012 and an F-Secure Labs report (PDF) noted that "highly specialized suppliers" that "provide commoditized malware services" seem very similar to those that target Windows desktops.

How OSes help fend off malware

To help keep malware off devices, Apple has a strict review policy for the iOS apps that make it into the App Store. It seems to be successful, although iOS viruses do exist. Google has started scanning the Google Play app store as well, but unlike iOS devices, Androids can sideload apps from outside sources. This practice can lead a user to download something unsecure or malware-laden.

Google has implemented some anti-malware features in the Android OS as of version 4.2, but the protection is lightweight and catches only around 15% of malware, according to one test at North Carolina State University. These measures are not enough protection, and many users ignore warnings about the dangers of infected fake apps. For example, when the Flappy Bird game developer pulled the official app from app stores -- because it was too addictive -- users tried to find it through third-party sources, many of which had versions of the app that contained malware.

The reality is that if users practice the same safe downloading practices on their mobile devices as they do on their desktops and laptops -- that means sticking to approved apps from a scanned app store and avoiding strange links from text messages and emails -- they will likely dodge malware. But users don't always follow those best practices, and in the bring your own device (BYOD) world, employees' bad downloading practices become IT's problem because personal mobile devices put corporate and private information in the same place.

Mobile antivirus software restrictions: 'You can't touch this'

You shouldn't expect antivirus on a mobile device to behave the same way it does on a desktop, however. Antivirus software on a PC can scan every nook and cranny, but mobile antivirus software is just another app. There can be serious restrictions around what an antivirus app can access. Mobile antivirus can't touch OS files, website filtering, in-memory scans or real-time protection engines. In iOS, apps are sandboxed from the OS and from each other by design. For example, if you want to scan an email attachment you've received, you'll need to send that file to the antivirus scanner to check for viruses because iOS blocks your antivirus app from accessing your mail app.

More on mobile antivirus

On-device defenses against malware

Quiz: Protecting mobile devices against viruses, spyware and malware

How antivirus software works

Android devices come with a different set of concerns because users can sideload apps and root devices. The primary job of many Android antivirus apps is to scan for apps from unofficial third parties and check against a known list of compromised apps. This is highly dependent on the antivirus app having an updated list of compromised apps. Android anti-malware also often looks for rooted devices. Users may root a phone to access features and information, bypass the sandboxing features that ask for access to contacts, texts and more, or to access new or custom ROMs.

Which devices need mobile antivirus software?

Android antivirus apps continue to get better, but they aren't better than the scanning in Google Play, and antivirus apps can't scan everything that a PC antivirus program can. Still, antivirus measures won't affect device performance, and unless you trust users to follow security best practices, it's better than nothing. Especially if users are still running pre-4.2 versions of Android, you should encourage them to download antivirus. Some mobile antivirus software also lets you find a device using GPS, lock or remotely wipe a device.

When it comes to iOS, there is little reason for users to download mobile antivirus software unless they have jailbroken devices. Although exploits are theoretically possible, there has yet to be a widespread attack on iOS. Antivirus for iOS can protect other users by scanning attachments and downloaded files, but it will do little for security on the device itself.

If you have complete control over the devices in your company -- that means you know there aren't any rooted or jailbroken devices and that users run up-to-date mobile OSes -- you may not need mobile antivirus. But if your company allows users to bring in devices of all types or you don't have direct control over devices, then requiring users to download mobile antivirus software may be worth it. Unfortunately, breaking the news that the real Flappy Birds game is no longer available is still your job.

Dig Deeper on Mobile security

Unified Communications