"I think mobile is a real wake-up call to a lot of security professionals," says Michael Sutton, vice president of security research at Zscaler ThreatLabZ. "The mobile space is going to require us to completely rethink the way that we do security. We can't do things the way that we used to, and I think that most security vendors are just trying to repeat what was tried in the PC world beforehand."
One of the big reasons why traditional antivirus approaches won't fly is simply because the form factor is different.
"The device has limited resources, battery life is critical, and you don't want to have things running in the background that you don't have to," Sutton says. "Plus, on the flip side, if you look at the iOS world, it's just not even an option because you can't run things in the background; Apple has made the decision that is not going to happen."
According to Sutton, in order to address the risk of mobile malware, security firms need to find better ways to inspect and protect data in transit rather than necessarily focusing on what's going on within the device itself. This is especially key considering the fact that his researchers at Zscaler's ThreatLabZ are finding that the biggest risks are not necessarily from outright malicious software, but from "good" applications behaving badly.
"We're not seeing a lot of malware so much propagating on the mobile space as we are apps with a lot of privacy concerns -- apps sharing information that people aren't aware of, and apps that have not been built securely," Sutton says. "A few months back we were looking at some iOS apps that would ask you for your password to popular services like Google Docs, and all of those authentication credentials were just stored in clear text. So anybody who got a backup of your phone could go through that in plain text."
Sutton's points about the balance of risk between mobile malware versus privacy-smashing apps offers an interesting take in a heated debate that has been frothing for years now, and has come to a head recently with comments from Chris DiBona, open-source programs manager for Google. DiBona said that antivirus companies selling protection for Android, RIM and iOS are "charlatans and scammers." DiBona kicked over a hornets nest within the security world by questioning whether mobile malware is even a real threat.
"Well, it's definitely not the Easter bunny, I'll tell you that," says Brian Contos, director of global security strategy at McAfee. "I think maybe a few years ago people might have been able to make that argument and to some extent that it was such a small percentage of the malware ecosystem that it was relatively negligible. But we're seeing a lot more of it now."
According to McAfee Labs, mobile malware in the wild is growing significantly, particularly on the Android platform. In its quarterly threat report, researchers with the outfit reported Android malware rose by 37 percent in the last quarter. But these types of numbers can vary wildly -- a similar report from the Juniper Global Threat Center reported that its researchers measured an increase of Android malware from July 2011 to November 2011 of 472 percent. Similarly, Vanja Svajcer, principal virus researcher at SophosLabs, reported that over the last three months the number of unique malware samples sussed out by Sophos jumped four-fold. But even researchers at Sophos give a little credence to the point that even though mobile malware has grown and should be on most IT security pros' radar, it's still pretty uncommon. After all, that four-fold jump was from 500 unique pieces found to 2,000 unique malware samples found.
"Malware on mobile devices is a reality but is still very rare. You are far less likely to encounter malware for your phone than for your PC," says Richard Wang, manager of SophosLabs US. "The official marketplaces for both Android and iOS have good records of swiftly removing any malware found on them, reducing exposure to users who only use official sources for their apps. Mobile platforms are comparatively safe but not entirely free of risk. Users should take care of their data whatever device it is on."
Consensus throughout the industry is that, yes, some entities may overhype the numbers or the capabilities of their mobile security products to one degree or another. But that doesn't mean mobile malware threats and mobile security shouldn't be taken seriously.
"It would be crazy for anyone to dismiss the possibility of devices becoming compromised," says Jason Baron, partner and director of consulting services at Welsh Consulting. "Hackers operate on free market principles, but they don't really have the impediment of law or ethics that a real company has to worry about. So if there's a profit motive to exploit mobile devices, then they're going to exploit them."
Kevin Mahaffey, CTO and founder of Lookout Mobile Security, echoes Baron's thoughts, saying that just as mobile technology is operating at Mach speed, so too are the threats.
"While PC threats took decades to evolve, mobile threats have been advancing in a fraction of the time," Mahaffey says. "Because mobile phones have in-band payment mechanisms -- the ability to charge premium-rate phone calls and text messages to a user’s phone bill -- malware writers have a much easier time monetizing their attacks than the PC."
What's more, even though the form factor is different, mobile devices and PCs share one very important element that hackers will be looking to take greater advantage of in the future: use of the web. This may well be one of the biggest lessons the industry should take as it figures out just how to protect those little computers in our pockets.
"One of the most prolific pieces of malware in the last few years was Zeus, which is a man-in-the-browser attack. One of its incarnations actually installs a Trojan on Smbian, Blackberry and jailbroken iPhones, that can basically allow the man-in-the-middle software on the desktop or laptop to work efficiently by intercepting multiauthentication tokens," Contos says. "So, it's here and it's going to grow as people start using mobile devices more and more for banking, online shopping and doing the things they typically would on a computer. We're going to see many more attacks focused that way."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.