In a report released late October, security firm Trend Micro found 175,000 different malicious and suspicious packages targeting the Android operating system by the end of the third quarter, a fivefold increase over the previous quarter. Antivirus firm F-Secure saw a similar jump, finding more than 50,000 malware packages targeting Android mobile devices in the third quarter, a tenfold increase compared to the prior quarter.
Yet while mobile malware has become a problem in a few countries, such as Russia and China, overall infection rates are low. In the U.S., for example, multiple reports by network-monitoring researchers have found less than 1 percent of devices infected with malware.
"We are seeing a big sample increase, but not a huge increase, in malware families," says Sean Sullivan, security adviser for F-Secure. "What we are seeing is more of a spam approach on the front end [in the app stores], but we see less activity in terms of infections."
The apparent paradox of massive increases in malware but only infrequent infections is, in part, due to the problems that cybercriminals have in monetizing compromised smartphones and tablets. Most cybercriminals have turned to toll fraud to convert their control of a mobile device into a paycheck. By sending out premium SMS messages to an attacker-owned service, the criminals are able to collect money from the user's phone. However, because premium SMS messages are not a popular way to pay for services in the U.S., the scams are less successful.
For enterprise security managers, the statistics offer a confusing picture of the threat landscape. With the bring-your-own-device trend in full swing -- one survey found that the average mobile worker carries three devices, and then some -- companies need to find ways to benefit from the productivity boost that comes with allowing workers to use their own devices, but without compromising security.
While malware needs to be a focus in the future, current corporate priorities for mobile devices remain essentially unchanged, says Kevin McNamee, security architect of Kindsight, a network security firm.
"The highest priority for the enterprise is that people have company data on their phones -- their contact lists, PowerPoint presentations -- so when the phone is lost, they have to worry about the corporate data being lost," he says.
Yet for most U.S.-based companies with thousands -- or even hundreds -- of employees, mobile malware will likely be carried inside their network sometime in the next year. Juniper Networks, which developed software to help companies manage and secure their employees' smartphones, typically detects malware on 2 to 3 percent of a client company's smartphones each year, says Daniel Hoffman, chief mobile security evangelist for the company.
"Spyware is by far the biggest category of infections that we see," Hoffman says. Rogue spyware -- as opposed to the kind that can be purchased online to, perhaps, legally monitor a person's cell phone usage -- makes up the lion's share of what Juniper detects. Fake installers, which wrap legitimate software in a malicious installer, are an increasingly popular tactic, while trojans that use SMS to sign users up for premium services are the third most popular type of malware detected in corporate networks, according to Juniper.
[A spate of research into mobile devices as sensor platforms has shown that compromised smartphones can be turned into insiders -- eavesdropping on phone calls, 'shoulder-surfing' for passwords, or looking around an office. See Mobile Trojans Can Give Attackers An Inside Look.]
Up-and-coming threats include many that security firms have found on PCs: scareware that attempts to convince victims that they must pay a fee to clean off their phones, bot-like programs that turn the phone into a text-message spam machine, and banking trojans that attempt to steal a victim's username and password to transfer money.
But targeted attacks on companies should also be a worry, Kindsight's McNamee says. The fact that phones constantly travel between untrusted networks on the outside of a company and back inside the corporate network makes them valuable to attackers as a conduit to sensitive data. Developing policies to prevent devices from being used as a way into the company's trusted network is important, he says.
"If you are in enterprise security and are worried about the phones that your employees are bringing to work, you have to look a year or so down the road to see what threats are going to be on the landscape," he said.
And mobile malware should be near the top of the list, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.