Mobile malware crisis? Not so fast

Amid a rash of dire reports about a lack of security on smartphones, it's critical to maintain perspective.

There's been a flurry of coverage of mobile malware over the past few days, including two separate reports declaring both 2011 and 2012 "the year of mobile malware.

Much of that worry flared up following a Juniper Networks report last week asserting that Android malware has increased 472 percent since July--on top of a 400 percent jump between 2009 and the summer of 2010.

Android's open app marketplace is at the root of that problem, Juniper concludes.

'You Should Be Ashamed'

Not everyone is buying it, however. Chris DiBona, Google's open-source programs manager, last week used Google+ to expound his own views on mobile malware, and they're nothing if not opposed to the ones currently in wide circulation.

"Virus companies are playing on your fears to try to sell you bs protection software for Android, RIM, and iOS," DiBona charged. "They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM, or iOS you should be ashamed of yourself."

'They Haven't Gotten Very Far'

The malware that has afflicted the major smartphone platforms so far doesn't compare with what Windows and some Mac machines have seen, DiBona explained.

"There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels," he wrote. Linux desktops, meanwhile, have avoided significant problems, he added.

It's not that viruses aren't possible on mobile platforms, DiBona noted. They aren't probable, however, thanks to barriers preventing the spread of such programs from one phone to another, he said.

'Much More Than Just Antivirus'

Both iOS and Android use Webkit-derived browsers, are based on open source kernels, use numerous open source libraries, and depend on the GNU Compiler Collection (GCC), he added. In addition, "all the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets."

Policy engines, meanwhile--or tools for managing devices from an corporate IT department--are "not the same thing at all," DiBona pointed out. But when vendors of such products add virus protection, "that part is a lie," he charged. "Tell your vendor to cut it out."

Security providers, not surprisingly, have disputed DiBona's claims.

"What @cdibona is missing is that these tools do much more than just Antivirus: Antitheft. Remote lock. Backup. Parental control. Web filter," tweeted F-Secure's Mikko Hypponen, for example.

An Exaggerated Picture

DiBona has a good point when he notes that mobile malware still pales in comparison with the Windows malware that has plagued--and continues to plague--the computing world.

It's also important to remember that many of the statistics to emerge recently sound a lot more alarming than they are, given that they're comparing today's malware situation with a base of essentially zero, when mobile platforms first emerged.

If Android started out with one instance of malware and then grew to six, that could be described as a drastic 500 percent increase while still remaining relatively insignificant, as my colleague Tony Bradley points out.

Finally, I also agree with DiBona that it's wrong to put the blame on open source as the cause of any security problem.

An Exploding Platform

To completely discount the value of efforts to combat mobile malware, however, is extreme. Given the rate at which mobile platforms in general are growing, it seems a pretty safe prediction that malware is going to follow, just as it did on the desktop side.

No operating system is perfectly secure. Even desktop Linux users sometimes install anti-virus software for extra protection, after all.

The majority of Android malware today comes from outside the Android Market, from what I've heard, and never even makes it onto most users' radar. It's also unlikely to spread.

Will that remain the case? Maybe, or maybe not. In the meantime, it doesn't seem like a bad thing to have people on top of it - just so long as we can keep their warnings in perspective.

Join the CSO newsletter!

Error: Please check your email address.

Tags spamtelecommunicationapplicationsvirusesiosAndroidmobilejuniper networksmalwareRIM BlackBerryconsumer electronicsGooglesecuritysmartphonesMobile OSesphishing

More about F-SecureGoogleJuniperJuniperLinuxNUResearch In Motion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Katherine Noyes

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place