This is a followup to Wout de Natris’ as usual excellent piece on the Enisa botnet report—pointing out the current state of mobile malware and asking some questions I started off answering in a comment but it grew to a length where I thought it’d be better off in its own post.

Going through previous iterations of Mikko’s presentations on mobile malware is a fascinating exercise.

Mikko has been saying much the same thing for a long time—and he was (quite a few years back) seeing / predicting some dual purpose type viruses, mobile viruses that also had a PC virus that’d get dropped drop if a dongle got connected. [according to a presentation he did on a panel I was chairing]

The same thing in writeups by other AV vendors such as Kaspersky Labs—an old release they wrote in 2006 reads a lot like it could have been written today ... except for the amount of mobile malware which has shown a steady and worrying growth. Cross platform (phone to PC) malware like Cxover gets described in this one too.

The threat potential is far more scary on mobile platforms. Some because of the platform and some because of service provider issues.

On the phone—a key worry is the lack of control / vetting of apps. Some OS and phone vendors vet and sign apps before allowing them to run on a platform. However, for other mobile platforms, even more than for operating systems, you can get a variety of apps from all kinds of sources. Not all of them very well designed, so that the least they do is hang your phone, with the worst being to actively infect it, or at least leave it more vulnerable to infection than it was before.

Open access to phones, with features that allow unsolicited entry are the most worrying. For example, open bluetooth access, if enabled on a phone, means that apps (or malware) can jump to other phones within range. Such malware would travel rather slower than malware that propagates over the internet but…

Software can be sent to a mobile number so that opening a text message would trigger an attempted install. And everyone knows just how many users click “no” instead of “yes”. Or should I have said “how few”. Very few phones have AV and firewall programs installed so that the probability that any malicious app, once it makes it onto the device, will cause damage, is extremely high.

Service provider issues —

Mobile providers are usually from the Telco wing of various carriers, and they’d be bound by common carrier rules that the carrier’s ISP division wouldn’t be subject to. So—filtering content becomes a regulatorily much more dicey proposition.

Comparatively few wireless carriers are active in the security / malware conferences, so a lot of training / knowledge sharing / operational cooperation etc will be required before providers will be able to react appropriately to mobile malware threats on their network. To be sure, there are some major wireless carriers active in MAAWG, and efforts are made to reach out to conferences that wireless providers are more likely to attend, but… there is a lot to do, far more than there is in the ISP sector.

There’re of course going to be far more such threats—but that wasn’t why I started to write this post.

So, why isn’t mobile malware spreading as rapidly as it should have, based on all our fears, predictions, readings of how precarious the security readiness of both mobile carriers and phone users is?

Maybe I’m way off base, but I would appreciate some comments on why mobile malware isn’t spreading as fast as it should given the wide open nature of the platform and the lack of security, either on the device or on the network. I’ve a few thoughts on why this is the case… could be completely wrong of course.

My thoughts —

The fact that malware artists are still in what is seen as a testing phase (by the AV vendors, and as Wout’s article points out) is indicative of, maybe one or likely several of these reasons.

1. Far less smartphones—just dumb phones that get used for voice and text messaging. Especially in less developed markets with very high mobile penetration—there’ll be far more “basic phones” around rather than smartphones.

2. Far more PCs with a limited subset of platforms than there are smartphones, plus the smartphones have a much more diverse platform base so the opportunity cost of developing PC malware (and later, mac / linux malware) might be far more favorable to malware artists. Of course, with several new mobile platforms placing much more reliance on the browser—and as mobile versions of Safari, Firefox, Opera etc are widely popular, there’s a readymade common vector for spammers to launch attacks that are browser specific rather than OS specific, so got to see how this trend changes things.

3. Cumbersome security measures for mobile transactions—people may or may not carry out too many financial / banking transactions online [but that’s changing, and gradually increasing]. And while people do book tickets or carry out financial transactions online, but it might get more inconvenient to transact over a phone if this becomes a larger threat, perhaps more severe than in web based transactions. This may in fact discourage people from doing financial transactions on the Internet. For example the Indian banking regulator + central bank, RBI, recently mandated that all mobile txns must use an one time password that the credit card issuer provides when the customer texts them at a number / calls their helpdesk.

... any more?