There won't be that many new vulnerabilities found in mobile operating systems, but the number of attacks exploiting the known flaws are expected to double by the end of the year, IBM X-Force said.
Mobile threats have exploded this year, and researchers believe the
number of mobile device exploits will double by the end of the year,
according to the latest IBM report.
The number of known mobile operating system vulnerabilities
will increase only incrementally from 2010 to 2011, but the number of
exploits based on those flaws is expected to double from 2010 to 2011,
IBM's X-Force research group wrote in the IBM Mid-Year X-Force report
released Sept. 29. The growth is actually less than what happened from
2009 to 2010, when the number of bugs doubled and the number of
exploits jumped 400 percent, IBM said.
Of the 24 mobile operating system vulnerabilities seen in the
first half of 2011, at least half involved easy-to-exploit security
holes that allowed attackers to launch arbitrary code execution attacks
on the target device. Almost all of the flaws involved client software
remote code execution vulnerabilities that exposed users to
drive-by-download attacks from malicious Websites, the report found.
"For years, observers have been wondering when malware would
become a real problem for the latest generation of mobile devices,"
said Tom Cross, manager of Threat Intelligence and Strategy for IBM
X-Force, before adding, "It appears that the wait is over."
Malware distributors are setting up premium texting services
that charge users exorbitant rates to send SMS messages to that number.
Other criminals are collecting the victims' personal information from
infected devices which are then used in phishing attacks or identity
theft, according to IBM X-Force.
IBM's X-Force researchers examined attack trends for the first half of
2011. The report is based on intelligence gathered through IBM's
research of public vulnerability disclosures and the analysis of an
average of 12 billion security events collected daily since the
beginning of 2011, IBM said.
Malware authors are getting more sophisticated in their craft,
but the threats are also coming from the users who increasingly bring
their own smartphones and tablets into the enterprise but don't run any
security tools to protect the devices. Developers aren't properly
securing their applications and data is being leaked left and right.
Finally, many security vulnerabilities remain unpatched on the mobile
device because carriers aren't pushing out updates to their customers
in a timely manner or it's too difficult a process to install the
Users should be protecting their devices with mobile security
tools, X-Force researchers recommended. They should also be careful,
such as sticking with reputable app stores. Mobile malware is typically
distributed through third-party app stores. However, infected
applications have also popped up on Web forums, peer-to-peer networks
and other Websites. Off-market applications are usually pirated
versions of commercial Android apps, so users should be suspicious if
they are offered free copies of apps that normally cost money.
The IBM team also tested nearly 700 Websites and discovered 40
in mobile threats in the first half of 2011 was matched by a decrease
in the number of Web application vulnerabilities found over the same
period, according to IBM X-Force.
Web vulnerabilities decreased from 49 percent of all vulnerability
disclosures to 37 percent in the first half of 2011. This is the first
such drop observed in the last five years, according to X-Force. The
number of high and critical flaws in Web browsers was also at the
lowest point since 2007.