The Mobile Malware Protection policy protects users from inadvertently downloading or using mobile applications that contain vulnerabilities, perform malicious activities, send or receive information from malicious websites, or leak personal, device-specific, or other sensitive information from their devices.

Mobile Malware Protection includes two mobile app security actions:

• Malicious Activity: Blocks apps that are known to be malicious, compromised, or perform activities unknown to, or hidden from, the user. Examples include:
  • Known malware (e.g., signature, hash, or YARA rule)
  • Communication with malicious websites or command and control (C2) infrastructure
  • Performing device or personal information collection and harvesting (e.g., phone number, SMS messages, email address, or location coordinates)
  • Performing suspicious actions or displaying suspicious behavioral indicators
• Known Vulnerability: Blocks apps which contain vulnerabilities or are using insecure features, modules or protocols. Examples include:
  • Common vulnerabilities and exposures (CVEs)
  • Use of insecure operations or features, such as vulnerable version of SSL/TLS

Mobile Malware Protection includes 6 mobile app privacy actions:

• Unencrypted User Credentials: Blocks an application from leaking a user's credentials in an unencrypted format (e.g., a username and password sent in clear text).
• Location Information: Blocks an application from leaking device location details via communication in an unencrypted format or for an unknown purpose.
• Personally Identifiable Information: Blocks an application from leaking a user's personally identifiable information (PII) via communication in an unencrypted format or for an unknown purpose.
• Device Identifiers: Blocks an application from leaking device identifiers via communication in an unencrypted format or for an unknown purpose.
• Communication with Ad Servers: Blocks an application from communicating with known ad servers.
• Communication with Unknown Servers: Blocks an application from communicating with unknown servers (e.g., servers not normally or historically associated with the application).

If a mobile app performs any blocked privacy action, Zscaler prevents that app from working at all. The apps can also be blocked on tablets, laptops, and desktop computers when the same indicators are present on the tablet, laptop, or desktop version of the apps.

By default, the Mobile Malware Protection policy blocks all of these actions. You can customize the Mobile Malware Protection policy for your organization. To learn more, see Configuring the Mobile Malware Protection Policy.

How it Works

Zscaler blocks suspicious apps using URL information, network traffic data, content signatures, and other app information. This information is gathered from Zscaler's proprietary threat intelligence and data gathered from ThreatLabZ to identify exploits, threats, or malicious communication.

If your organization has a Mobile Security subscription, you can also define policies to restrict mobile app downloads to specific app stores. To learn more, see About Mobile App Store Control.

To see how this policy fits into the overall order of policy enforcement, see About Policy Enforcement.