My previous post on mobile malware seems to have struck a cord. This post is updated with all the comments that I received (some contradicting each other!), organized in the same manner.
Why mobile malware will be a scourge of the future?
- there are many more cell phones than PCs - great opportunity for global infections and overall wireless mayhem (and robbery?)
- many cell phones/PDAs nowadays are always connected to a TCP/IP based network (more will be in the future)
- there are other fun avenues of possible spread, including Bluetooth, IR, MMS, mobile-to-PC, memory card, etc
- new methods of commercializing mobile malware are being invented (e.g. via paid SMS and MMS)
- cell phones are tied to automatic billing (!)
- many mobile devices contain data which is perfectly usable for social engineering and other attacks (address books, messages, personal notes, etc)
- much faster evolution of malware - its creators learned the lessons from the PC world
- PCs will become more secure and more security tools will be deployed there, so the attackers will shift focus
- very bad "OS" security on mobile platforms ("Win95-grade")
- there is no standard cell phone platform (like Windows in the PC world), even though there are some contenders (Symbian, Windows Mobile)
- sorry, but malware is commercial now and there is not much directly monetizable data to steal from a typical mobile phone
- similarly, mobile platforms are limited in both user and system functionality
- moreover, people PAY using their PCs (thus, phishing, pharming, etc) and mobile devices are not widely used for that (yet?)
- data is still secondary to voice on most modern mobile platforms (exception: Blackberry); thus, if your attack affects data only, the phone is still pretty usable
Other interesting thoughts (see raw comments) explain why it is not a scourge now (e.g. not too many phones are capable of even running malware).
Overall, after seeing the comments, I started to lean more heavily towards "run for your life" scenario - but it will hinge on more payments being done with/via cellphones directly. So, maybe those mobile anti-malware startups are worth something :-)
More thoughts? Anybody from an AV vendor, trying to sell mobile anti-virus tools now?
UPDATE: Kevin Mandia says: "Mandiant: First I would ask the nontechnical question, “Where is the money going?” Because where the money goes, the attacks follow. I would imagine if people start using mobile devices for online banking and credit transactions, thenmobile devices may be the next target. " Interesting!
UPDATE: a dirty lie? "Spanish police have arrested a 28-year-old man on suspicion of creating and spreading a virus that affected more than 115,000 top-of-the-range mobile phones."
1 comment:
It has only a few months since the FFIEC guidance kicked in for enhanced or two-factor authentication.
Now that a much larger segment of the financial services industry is using mobile phones for authentication, its only a matter of time before we start seeing targeted attacks against those customers.
I don't doubt at all that we'll see attacks against the largest banks that have rolled out multi-factor authentication. Chase for example has rolled out out-of-band authentication for cases where you log in from a previously unknown machine. I don't think it will take too long for people to get used to getting a message from Chase on their phone before a phisher puts up a site that looks like a chase login, asks you for your mobile number, and sends you a virus so that they can control what you do in the future...
Speculation, yes.
Scary, also a big yes.
Post a Comment