Friday, May 25, 2007

On Mobile Malware II

My previous post on mobile malware seems to have struck a cord. This post is updated with all the comments that I received (some contradicting each other!), organized in the same manner.

Why mobile malware will be a scourge of the future?

  • there are many more cell phones than PCs - great opportunity for global infections and overall wireless mayhem (and robbery?)
  • many cell phones/PDAs nowadays are always connected to a TCP/IP based network (more will be in the future)
  • there are other fun avenues of possible spread, including Bluetooth, IR, MMS, mobile-to-PC, memory card, etc
  • new methods of commercializing mobile malware are being invented (e.g. via paid SMS and MMS)
  • cell phones are tied to automatic billing (!)
  • many mobile devices contain data which is perfectly usable for social engineering and other attacks (address books, messages, personal notes, etc)
  • much faster evolution of malware - its creators learned the lessons from the PC world
  • PCs will become more secure and more security tools will be deployed there, so the attackers will shift focus
  • very bad "OS" security on mobile platforms ("Win95-grade")
Why mobile malware will be nothing much?
  • there is no standard cell phone platform (like Windows in the PC world), even though there are some contenders (Symbian, Windows Mobile)
  • sorry, but malware is commercial now and there is not much directly monetizable data to steal from a typical mobile phone
  • similarly, mobile platforms are limited in both user and system functionality
  • moreover, people PAY using their PCs (thus, phishing, pharming, etc) and mobile devices are not widely used for that (yet?)
  • data is still secondary to voice on most modern mobile platforms (exception: Blackberry); thus, if your attack affects data only, the phone is still pretty usable

Other interesting thoughts (see raw comments) explain why it is not a scourge now (e.g. not too many phones are capable of even running malware).

Overall, after seeing the comments, I started to lean more heavily towards "run for your life" scenario - but it will hinge on more payments being done with/via cellphones directly. So, maybe those mobile anti-malware startups are worth something :-)

More thoughts? Anybody from an AV vendor, trying to sell mobile anti-virus tools now?

UPDATE: Kevin Mandia says: "Mandiant: First I would ask the nontechnical question, “Where is the money going?” Because where the money goes, the attacks follow. I would imagine if people start using mobile devices for online banking and credit transactions, then
mobile devices may be the next target.
" Interesting!

UPDATE: a dirty lie? "Spanish police have arrested a 28-year-old man on suspicion of creating and spreading a virus that affected more than 115,000 top-of-the-range mobile phones."

Technorati tags: ,

1 comment:

Andy Steingruebl said...

It has only a few months since the FFIEC guidance kicked in for enhanced or two-factor authentication.

Now that a much larger segment of the financial services industry is using mobile phones for authentication, its only a matter of time before we start seeing targeted attacks against those customers.

I don't doubt at all that we'll see attacks against the largest banks that have rolled out multi-factor authentication. Chase for example has rolled out out-of-band authentication for cases where you log in from a previously unknown machine. I don't think it will take too long for people to get used to getting a message from Chase on their phone before a phisher puts up a site that looks like a chase login, asks you for your mobile number, and sends you a virus so that they can control what you do in the future...

Speculation, yes.
Scary, also a big yes.

Dr Anton Chuvakin