Home / Blogs

Why Isn’t Mobile Malware More Popular?

This is a followup to Wout de Natris’ as usual excellent piece on the Enisa botnet report—pointing out the current state of mobile malware and asking some questions I started off answering in a comment but it grew to a length where I thought it’d be better off in its own post.

Going through previous iterations of Mikko’s presentations on mobile malware is a fascinating exercise.

Mikko has been saying much the same thing for a long time—and he was (quite a few years back) seeing / predicting some dual purpose type viruses, mobile viruses that also had a PC virus that’d get dropped drop if a dongle got connected. [according to a presentation he did on a panel I was chairing]

The same thing in writeups by other AV vendors such as Kaspersky Labs—an old release they wrote in 2006 reads a lot like it could have been written today ... except for the amount of mobile malware which has shown a steady and worrying growth. Cross platform (phone to PC) malware like Cxover gets described in this one too.

The threat potential is far more scary on mobile platforms. Some because of the platform and some because of service provider issues.

On the phone—a key worry is the lack of control / vetting of apps. Some OS and phone vendors vet and sign apps before allowing them to run on a platform. However, for other mobile platforms, even more than for operating systems, you can get a variety of apps from all kinds of sources. Not all of them very well designed, so that the least they do is hang your phone, with the worst being to actively infect it, or at least leave it more vulnerable to infection than it was before.

Open access to phones, with features that allow unsolicited entry are the most worrying. For example, open bluetooth access, if enabled on a phone, means that apps (or malware) can jump to other phones within range. Such malware would travel rather slower than malware that propagates over the internet but…

Software can be sent to a mobile number so that opening a text message would trigger an attempted install. And everyone knows just how many users click “no” instead of “yes”. Or should I have said “how few”. Very few phones have AV and firewall programs installed so that the probability that any malicious app, once it makes it onto the device, will cause damage, is extremely high.

Service provider issues —

Mobile providers are usually from the Telco wing of various carriers, and they’d be bound by common carrier rules that the carrier’s ISP division wouldn’t be subject to. So—filtering content becomes a regulatorily much more dicey proposition.

Comparatively few wireless carriers are active in the security / malware conferences, so a lot of training / knowledge sharing / operational cooperation etc will be required before providers will be able to react appropriately to mobile malware threats on their network. To be sure, there are some major wireless carriers active in MAAWG, and efforts are made to reach out to conferences that wireless providers are more likely to attend, but… there is a lot to do, far more than there is in the ISP sector.

There’re of course going to be far more such threats—but that wasn’t why I started to write this post.

So, why isn’t mobile malware spreading as rapidly as it should have, based on all our fears, predictions, readings of how precarious the security readiness of both mobile carriers and phone users is?

Maybe I’m way off base, but I would appreciate some comments on why mobile malware isn’t spreading as fast as it should given the wide open nature of the platform and the lack of security, either on the device or on the network. I’ve a few thoughts on why this is the case… could be completely wrong of course.

My thoughts —

The fact that malware artists are still in what is seen as a testing phase (by the AV vendors, and as Wout’s article points out) is indicative of, maybe one or likely several of these reasons.

1. Far less smartphones—just dumb phones that get used for voice and text messaging. Especially in less developed markets with very high mobile penetration—there’ll be far more “basic phones” around rather than smartphones.

2. Far more PCs with a limited subset of platforms than there are smartphones, plus the smartphones have a much more diverse platform base so the opportunity cost of developing PC malware (and later, mac / linux malware) might be far more favorable to malware artists. Of course, with several new mobile platforms placing much more reliance on the browser—and as mobile versions of Safari, Firefox, Opera etc are widely popular, there’s a readymade common vector for spammers to launch attacks that are browser specific rather than OS specific, so got to see how this trend changes things.

3. Cumbersome security measures for mobile transactions—people may or may not carry out too many financial / banking transactions online [but that’s changing, and gradually increasing]. And while people do book tickets or carry out financial transactions online, but it might get more inconvenient to transact over a phone if this becomes a larger threat, perhaps more severe than in web based transactions. This may in fact discourage people from doing financial transactions on the Internet. For example the Indian banking regulator + central bank, RBI, recently mandated that all mobile txns must use an one time password that the credit card issuer provides when the customer texts them at a number / calls their helpdesk.

... any more?

By Suresh Ramasubramanian, Antispam Operations

Filed Under


Thank you for your thoughts, Suresh (and Wout de Natris  –  May 11, 2011 4:34 PM

Thank you for your thoughts, Suresh (and the compliment). What strikes me in your comment is the distinction you make between telco and ISPs and that mobile operators stem from the telco side. Now many a telco has started or bought up ISPs in the past 15 years. About the same time mobile started to roll out on a bigger level. So where fixed networks learned the hard way in the past 10 years, mobile is now being confronted with these problems on a larger scale. What I hear in your reaction and from people I spoke to at RIPE 62 is the same what I took home from Cologne: mobile is not up to deal with these problems. Added with they are not known for their active policy on cyber crime. Some challenges, I’d say and the end user will suffer the consequences at first. I see a task for regulators, so it’s a good thing that mobile threats are on the agenda of the upcoming London Action Plan conference. But this is not enough.

Wout de Natris

I also forgot about carrier grade NAT being much more popular at mobile service providers Suresh Ramasubramanian  –  May 12, 2011 9:04 AM

Makes it very interesting (!) from a security point of view.

The game has probably changed Suresh Ramasubramanian  –  Jul 10, 2011 2:45 AM

The zbot (zeus malware toolkit) now has versions for android, windows mobile and blackberry.


This is going to be interesting, in the chinese sense of the word.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com


Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix