Tuesday, May 22, 2007

On Mobile Malware: Yay or Nay!?

When I see stuff like this, I think "mobile malware" will be huge. But then I think rationally for a bit, and it seems like it won't :-) So, let me think about it a bit more since many folks are planning to launch companies to fight the coming onslaught of the mobile malware ... 

Why mobile malware will be a scourge of the future?

  • there are many more cell phones than PCs - great opportunity for global infections and overall wireless mayhem (and robbery?)
  • many cell phones/PDAs nowadays are always connected to a TCP/IP based network (more will be in the future)
  • there are other fun avenues of possible spread, including Bluetooth, MMS, etc
  • new methods of commercializing mobile malware will be invented (ah, make that "are being invented NOW")
Why mobile malware will be nothing much?
  • sorry, but malware is commercial now and there is not much to steal from a typical mobile phone (Tiny porn? Address book? Eh?)
  • similarly, mobile platforms are limited in both user and system functionality
  • data is still secondary to voice on most modern mobile platforms (exception: Blackberry); thus, if your attack affects data only, the phone is still pretty usable
  • there is no standard cell phone platform (like Windows in the PC world)

BTW, a few related, some mildly hilarious, links:

The last link also explains: "A great deal of changes need to take place before any year can claim that title: convergence of platforms, greater degree of integration, other targets become less attractive because they become harder to hack, an increase in data and transaction values of mobile targets; the emergence of a premier vulnerability on mobile platforms."

So, what do you think?

Technorati tags: ,


Anonymous said...

I think you've overstated the case for optimism:

* ...and there is not much to steal from a typical mobile phone *

-- unlike PC's, mobile devices are all tied directly to automatic billing systems - many of which allow payments < $9.99 w/o out-of-band authorization.

* data is still secondary to voice on most modern mobile platforms *

-- but the data on many mobile devices is just the kind you'd want to steal and great ammo for social engineering attacks

* ... no standard cell phone platform *

-- symbian (and windows mobile) have wide market share and are both full of problems

Mobile devices will come under attack just as soon as c0ders who take $$ for exploits realize how chewy these platforms are. And that's beginning to happen...

Chris Rohlf said...

When you say mobile people may think different things. A blackberry is 'mobile' and certainly contains a lot of data a bad person may want to get their hands on. I think the next few years we will see a surge in malware in this area. It also takes widespread industry acceptance of the problem before average people start to understand that it is real. But I'm sure at this very moment there are 'mobiles' being targeted and attacked, its just not widespread yet.

kurt wismer said...

i tend to agree that the idea of the year of mobile malware is pretty ridiculous (what does it even mean? was there a year of desktop malware?)...

i think it's too early to say whether or not mobile malware will be a scourge... mobile malware is not a big problem right now in part because of the cellphones out there only a small percentage are susceptible to malware at all... the population density of susceptible devices is higher in some places than others but it's still nowhere near the population of pc's... that means that right now pc's are a juicier target...

also, right now there's a lot more existing malware to build on for the pc platform than for the mobile platform... that said, there is already mobile spyware out there that can gather just about any cell phone information you can think of from text messages to voice communications to geolocation data...

i think the only real barriers to a mobile malware population boom are susceptible device population and access to financial transactions from the phone - both of which could reasonably be expected to increase in the mid-to-long-term future..

PaulM said...

Not to mention that the OS security of smartphone devices is similar to Win95. Which means that any code that runs anywhere has pretty much total control of the device. It also means that bolting security onto these platforms with third party software is going to suck and only companies are going to do it until carriers like ATT and VZW start shipping software already on the phones.

I envision malware that will exploit a browser or message reader (much as desktops are pwned today) and then send text messages to lots of "free ringtone" and "joke-a-day" services that charge $9.99/day for each text message (each of which will contain more exploits). And much like adware today, the phone-bot herder will get a cut of that.

So, this problem is definitely coming. But unlike browser and e-mail malware, my mom won't be affected, because she doesn't have a data plan or text messaging. :-)

Ken Buchanan said...

For what it's worth, my prediction...

Mobile malware will become popular when one of two things happens:
a) phishing and identity theft via PC-based attacks somehow becomes hard, or
b) people start doing Internet banking via their cell phones.

Actually maybe the second one isn't that far fetched. Cell phones are turning into credit cards, after all. But so far all I see is RFID issues with that, and I don't see mobile malware coming into play.

Now if somebody starts turning smartphones into credit cards, *that* could be interesting.

Dr Anton Chuvakin