Security Experts:

Separating Fact from Hype on Mobile Malware

As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter.

Mobile Malware While there is no doubt the amount of malicious programs with Windows in their bull’s eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype.

“There are two aspects to the heat index of mobile malware -- its actual prevalence in the wild, and its popularity among security researchers,” said Wendy Nather, an analyst with The 451 Group. “Certainly, the latter has been picking up a lot. Security researchers in some cases are scanning marketplaces for infected apps and making those statistics available, and in other cases are developing exploits and teaching about insecure mobile applications.”

This was underscored last week when Chris DiBona, open source programs manager at Google, criticized security vendors for overhyping threats to Android. Interestingly, a survey of 2,349 people released last week by security firm Mocana found that 47 percent responded negatively when asked whether they trusted their devices when it comes to storing sensitive information. This skepticism crossed platforms. When asked specifically about iOS devices, just 26 percent of respondents described their level of trust in the devices’ ability to protect information as “positive.” When it came to Android devices, only 19 percent said the same.

“We think that users in general are becoming more aware of security threats in general, and have been hearing more about Android attacks and exploits in the past few months,” said Kurt Stammberger, Mocana’s vice president of market development. “As smartphones displace old feature phones, even consumers are aware that these devices are, for all intents and purposes, computers in their pocket. And consumers have plenty of personal experience with malware and virus infection on their home PCs, so it's not difficult for them to see where this all is heading.”

When it comes to enterprises, IT professionals are still thinking about mobile device management and how to deal with the avalanche of devices coming into their organization, Nather said.

“The existence of mobile devices at this point is more of a worry than any malware itself,” she said.

Meanwhile, the malware itself has been a mix of the rudimentary and the sophisticated.

“Although the malware is still pretty rudimentary it’s mostly because it does not have to be too sophisticated to thwart defenses today,” Dan Hubbard, chief technology officer at Websense, told SecurityWeek. “We have seen some more sophisticated stuff coming out that does server-side polymorphism and some interesting banking Trojans also.”

Much of the malware is targeting Android users in China via third-party app stores. This is partly due to the size of the market however, Hubbard said, and the threat posed by mobile malware will increase in multiple geographies.

Still, avoiding unofficial app stores may not help a whole lot, Nather said.

“For one thing, Android was built to support the open, bazaar model of application development and distribution, so pretty much everything out there is unofficial,” she noted. “For another, consumers are not necessarily in a position to figure out whether a given marketplace is official, trustworthy, or even sourced in the U.S.”

Security of course is deeper than just Trojans and viruses, Hubbard noted, so while Apple’s walled-garden approach to the iPhone gives its users a leg-up in the malware fight when compared to Google that is only part of the story.

“As far as exploitability, it’s to be determined,” he said. “We are at a very early stage.”

On Demand Webcast: Protecting Corporate Data in Mobile Apps

Subscribe to the SecurityWeek Email Briefing
view counter
view counter