Every couple of years there’s a new “hot threat” in security for which vendors abruptly tout newfangled protection and potential customers clamor for additional defense options. Once upon a time it was spyware, a few years ago it was data leakage, and today it’s mobile malware. It’s a reoccurring cycle, analogous to the “blue is the new black” in fashion—if you fancy adopting a certain cynical tone.

Lying at the heart of the cycle is the fact that these hot threats have never been particularly new. Within the security community, we tend to talk about the evolution of the threat landscape. If you speak with the relevant experts about a particular threat category you’ll uncover that the back story to many of these “hot threats” often goes back a decade or two. Mobile malware threats are certainly no exception.

A history lesson in the evolution of mobile malware is hopefully not required, beyond to say that today’s hot threat has evolved over a couple of decades and poses less of a technical challenge than many believe or commonly portray. But as history so often reveals in these cases, when a new threat is similarly labeled and thrust into the limelight for the first time, there’s all too often a stampede towards apparently novel and threat-specific solutions.

Solutions (and I use that term very loosely) within the mobile malware threat mitigation arena are increasingly difficult to differentiate from one another. In the confusion of defining a new threat and the nomenclature that accompanies it, the underlying technologies and viability of their approaches can get lost rather easily.

What is the “Mobile Threat”?

When I meet with customers, prospects and journalists, I get a lot of questions about the Mobile Threat. In particular, how should businesses work to defend against it? My immediate response tends to be “what do you define as the mobile threat?”

The term “Mobile Threat” is amorphous—it has become a catch-all to encompass anything not physically tethered to a network and happens to be newish from a technology perspective, and likely subject to some new (previously unencountered) formulation of evilness. That sounds like a kind of wishy-washy definition (and it is), but catch-all’s usually are. Instead, I’d rather focus on one aspect of the Mobile Threat—that of the mobile malware threat.

As I described in a blog entry illuminating a handful of security predictions for 2012, mobile malware threats continue to be misunderstood. It’s all too easy to dive deep in to the various technologies that expose mobile devices to new forms of attack and vectors of compromise; just as it’s rather easy to describe the various built-in technologies that the developers and engineers of the mobile devices have included to prevent many of the “legacy” threat categories we’re already all too familiar with.

You could spin a lot of cycles looking into the “what if’s” of mobile security threats but, at the end of the day, if you want to determine which threats and attack vectors are going to be the most immediate and protectable concern for your organization you only need to understand two things—how do your employees really use their mobile devices, and how are cybercriminals going to monetize their control of these devices?

For a moment, think about this. While Smartphones and Tablets often share a common operating system and maybe even the same application markets or stores, they are used in different ways, at different times, to accomplish different tasks. For this reason the attack vectors cybercriminals (and espionage-focused agencies) choose to launch against them are different for each category of mobile device. The tools—of which the most commonly encountered category is “malware”—are likely to be transportable between devices, but the vectors for installation and the type of meaningful information that can be extracted via them are quite different.

When it comes to the cybercriminals that target mobile devices (which constitute the core element of the “Mobile Threat”), it is interesting to note that they’re pretty much the same entities that have been historically successful in targeting traditional non-mobile devices. That shouldn’t really be a surprise to anyone—it’s all about monetizing the victims. If a particular cybercriminal group specializes in online banking fraud and a third of their potential target list shifts to tablet-based banking applications, they need to make a business decision—do they target the new platform or optimize their attacks against the traditional devices. As mobile application use increases, there’s an increasing driver for cybercriminals to invest in new mobile tool development. Similarly, if employees are wirelessly connecting to corporate systems and assets using mobile devices in preference to other traditional platforms, the attackers are forced to target these new devices and develop the appropriate tools.

It’s important to note that, while the end-point device is physically changing and the specifics of the tools the criminals need to develop and install upon the compromised devices is also changing, at the enterprise network and Internet infrastructure level there has been no change in criminal behaviors; nor is any change actually needed by them. The vast majority of C&C communications are HTTP-based regardless of the malware family or compromised device type. By speaking the same language, the cybercriminals can keep their existing infrastructure… business as usual!