Mobile malware will be sneakier
Mobile malware often looks like a scare story put out by security companies with products to sell and programmers who over-estimate geeky theoretical risks.Fair assessment or delirious complacency?Every security show held (the recent RSA Show for...
Fair assessment or delirious complacency?
Every security show held (the recent RSA Show for instance) has its mandatory line-up of security bods prepared to sit around and discuss the latest ‘trends’ in mobile maliciousness. Ask a question about the business end of such threats and you’ll generally get a lecture about an example nobody has ever heard of. It’s always like this.
Estimates on the number of individual pieces of mobile-related malware vary, but it’s safe to say that it’s an almost invisible drop compared to what happens on the Windows platform on any one day. Leaving aside the odd bit of inspired phone phreaking, and the vast majority have been low-level proof-of-concept programs and that’s being kind to them.
Know anyone who has had their phone taken over by a piece of mobile malware? Me neither and I spend my time watching intently.
The interesting question is why mobiles have proved so much harder to attack than desktops, thus far.
There are several answers including the lower installed base of phones capable of running malware programs and the (allegedly) harder job of getting programs to work on platforms such as Symbian. Legitimate developers can find that hard never mind the criminals. The Apple iPhone uses a locked-down system of application approval that looks inherently more secure. No approval and the app won’t even run. In theory.
The biggest reason of all, however, has nothing to do with architecture or the security efforts of mobile developers. The mobile space is defined by diversity and long may it remain so.
Anyone trying to create a global malware menace immediately has to work harder, overcoming not one platform (as with the PC) but several, each distinct in terms of what is and is not possible. The mobile world has this far avoided falling into the trap created for desktops when Windows conquered the world.
Aside from the phenomenon of Jailbroken iPhones and cross-OS browser hacks, the platform that does give cause for concern is Android, which has the potential to become the largest platform in percentage terms. It also has an architecture that some have criticised as less than watertight in its application signing design. Google could be making the same mistakes as Microsoft in its effort to build a market.
The other likelihood is that the fascination with social networking on smartphones will give malware authors a way in when combined with social engineering trickery - Koobface is a model of how this might work. It looks inevitable that trust will be an abused commodity because it's hugely valuable.
Mobile software crime is an inevitability but it will rise up in different forms to the PC world, at lower (but still destructive) volumes, and be more carefully targeted. 'Rumsfeld's law' (thanks Donald) tells us that there are always 'unknown unkowns', and mobile software architecture is bound to have some vulnerabilities hidden away somewhere. The biggest protection against is still the competition between platforms, and that is the lesson I sense everyone has learned for the post-Windows world that is emerging.
We should never again allow one company’s idea of security to dominate the world until it is way past being too late to do much about it. But let's not believe that will save us from all pain.