Home / Blogs

Why Isn't Mobile Malware More Popular?

Suresh Ramasubramanian

This is a followup to Wout de Natris' as usual excellent piece on the Enisa botnet report — pointing out the current state of mobile malware and asking some questions I started off answering in a comment but it grew to a length where I thought it'd be better off in its own post.

Going through previous iterations of Mikko's presentations on mobile malware is a fascinating exercise.

Mikko has been saying much the same thing for a long time — and he was (quite a few years back) seeing / predicting some dual purpose type viruses, mobile viruses that also had a PC virus that'd get dropped drop if a dongle got connected. [according to a presentation he did on a panel I was chairing]

The same thing in writeups by other AV vendors such as Kaspersky Labs — an old release they wrote in 2006 reads a lot like it could have been written today ... except for the amount of mobile malware which has shown a steady and worrying growth. Cross platform (phone to PC) malware like Cxover gets described in this one too.

The threat potential is far more scary on mobile platforms. Some because of the platform and some because of service provider issues.

On the phone — a key worry is the lack of control / vetting of apps. Some OS and phone vendors vet and sign apps before allowing them to run on a platform. However, for other mobile platforms, even more than for operating systems, you can get a variety of apps from all kinds of sources. Not all of them very well designed, so that the least they do is hang your phone, with the worst being to actively infect it, or at least leave it more vulnerable to infection than it was before.

Open access to phones, with features that allow unsolicited entry are the most worrying. For example, open bluetooth access, if enabled on a phone, means that apps (or malware) can jump to other phones within range. Such malware would travel rather slower than malware that propagates over the internet but…

Software can be sent to a mobile number so that opening a text message would trigger an attempted install. And everyone knows just how many users click "no" instead of "yes". Or should I have said "how few". Very few phones have AV and firewall programs installed so that the probability that any malicious app, once it makes it onto the device, will cause damage, is extremely high.

Service provider issues —

Mobile providers are usually from the Telco wing of various carriers, and they'd be bound by common carrier rules that the carrier's ISP division wouldn't be subject to. So — filtering content becomes a regulatorily much more dicey proposition.

Comparatively few wireless carriers are active in the security / malware conferences, so a lot of training / knowledge sharing / operational cooperation etc will be required before providers will be able to react appropriately to mobile malware threats on their network. To be sure, there are some major wireless carriers active in MAAWG, and efforts are made to reach out to conferences that wireless providers are more likely to attend, but… there is a lot to do, far more than there is in the ISP sector.

There're of course going to be far more such threats — but that wasn't why I started to write this post.

So, why isn't mobile malware spreading as rapidly as it should have, based on all our fears, predictions, readings of how precarious the security readiness of both mobile carriers and phone users is?

Maybe I'm way off base, but I would appreciate some comments on why mobile malware isn't spreading as fast as it should given the wide open nature of the platform and the lack of security, either on the device or on the network. I've a few thoughts on why this is the case… could be completely wrong of course.

My thoughts —

The fact that malware artists are still in what is seen as a testing phase (by the AV vendors, and as Wout's article points out) is indicative of, maybe one or likely several of these reasons.

1. Far less smartphones — just dumb phones that get used for voice and text messaging. Especially in less developed markets with very high mobile penetration — there'll be far more "basic phones" around rather than smartphones.

2. Far more PCs with a limited subset of platforms than there are smartphones, plus the smartphones have a much more diverse platform base so the opportunity cost of developing PC malware (and later, mac / linux malware) might be far more favorable to malware artists. Of course, with several new mobile platforms placing much more reliance on the browser — and as mobile versions of Safari, Firefox, Opera etc are widely popular, there's a readymade common vector for spammers to launch attacks that are browser specific rather than OS specific, so got to see how this trend changes things.

3. Cumbersome security measures for mobile transactions — people may or may not carry out too many financial / banking transactions online [but that's changing, and gradually increasing]. And while people do book tickets or carry out financial transactions online, but it might get more inconvenient to transact over a phone if this becomes a larger threat, perhaps more severe than in web based transactions. This may in fact discourage people from doing financial transactions on the Internet. For example the Indian banking regulator + central bank, RBI, recently mandated that all mobile txns must use an one time password that the credit card issuer provides when the customer texts them at a number / calls their helpdesk.

... any more?

By Suresh Ramasubramanian, Architect, Antispam and Compliance

Related topics: Access Providers, Cyberattack, Cybercrime, Malware, Mobile, P2P, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Thank you for your thoughts, Suresh (and Wout de Natris  –  May 11, 2011 9:34 AM PDT

Thank you for your thoughts, Suresh (and the compliment). What strikes me in your comment is the distinction you make between telco and ISPs and that mobile operators stem from the telco side. Now many a telco has started or bought up ISPs in the past 15 years. About the same time mobile started to roll out on a bigger level. So where fixed networks learned the hard way in the past 10 years, mobile is now being confronted with these problems on a larger scale. What I hear in your reaction and from people I spoke to at RIPE 62 is the same what I took home from Cologne: mobile is not up to deal with these problems. Added with they are not known for their active policy on cyber crime. Some challenges, I'd say and the end user will suffer the consequences at first. I see a task for regulators, so it's a good thing that mobile threats are on the agenda of the upcoming London Action Plan conference. But this is not enough.

Wout de Natris

I also forgot about carrier grade NAT being much more popular at mobile service providers Suresh Ramasubramanian  –  May 12, 2011 2:04 AM PDT

Makes it very interesting (!) from a security point of view.

The game has probably changed Suresh Ramasubramanian  –  Jul 09, 2011 7:45 PM PDT

The zbot (zeus malware toolkit) now has versions for android, windows mobile and blackberry.

http://nakedsecurity.sophos.com/2011/07/09/android-malware-spies-sms-messages-zeus-family/

This is going to be interesting, in the chinese sense of the word.

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

3 Questions to Ask Your DNS Host About DDoS

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

Mobile Web Traffic: A Dive Into the Data

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

Mobile Web Has Now Overtaken PC in 40 Nations, Including India, Nigeria and Bangladesh

New gTLDs and Best Practices for Domain Management Policies (Video)

Nominum Announces Future Ready DNS

New from Verisign Labs - Measuring Privacy Disclosures in URL Query Strings

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

Continuing to Work in the Public Interest

Verisign Named to the OTA's 2014 Online Trust Honor Roll

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

New Chinese "Mobile" Top-Level Domain Now Available

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Sponsored Topics