Mobile Security Threats to Double by End of 2011: IBM Study

There won't be that many new vulnerabilities found in mobile operating systems, but the number of attacks exploiting the known flaws are expected to double by the end of the year, IBM X-Force said.

Mobile threats have exploded this year, and researchers believe the number of mobile device exploits will double by the end of the year, according to the latest IBM report.

The number of known mobile operating system vulnerabilities will increase only incrementally from 2010 to 2011, but the number of exploits based on those flaws is expected to double from 2010 to 2011, IBM's X-Force research group wrote in the IBM Mid-Year X-Force report released Sept. 29. The growth is actually less than what happened from 2009 to 2010, when the number of bugs doubled and the number of exploits jumped 400 percent, IBM said.

Of the 24 mobile operating system vulnerabilities seen in the first half of 2011, at least half involved easy-to-exploit security holes that allowed attackers to launch arbitrary code execution attacks on the target device. Almost all of the flaws involved client software remote code execution vulnerabilities that exposed users to drive-by-download attacks from malicious Websites, the report found.

"For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices," said Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force, before adding, "It appears that the wait is over."

Malware distributors are setting up premium texting services that charge users exorbitant rates to send SMS messages to that number. Other criminals are collecting the victims' personal information from infected devices which are then used in phishing attacks or identity theft, according to IBM X-Force.

IBM's X-Force researchers examined attack trends for the first half of 2011. The report is based on intelligence gathered through IBM's research of public vulnerability disclosures and the analysis of an average of 12 billion security events collected daily since the beginning of 2011, IBM said.

Malware authors are getting more sophisticated in their craft, but the threats are also coming from the users who increasingly bring their own smartphones and tablets into the enterprise but don't run any security tools to protect the devices. Developers aren't properly securing their applications and data is being leaked left and right. Finally, many security vulnerabilities remain unpatched on the mobile device because carriers aren't pushing out updates to their customers in a timely manner or it's too difficult a process to install the patch.

Users should be protecting their devices with mobile security tools, X-Force researchers recommended. They should also be careful, such as sticking with reputable app stores. Mobile malware is typically distributed through third-party app stores. However, infected applications have also popped up on Web forums, peer-to-peer networks and other Websites. Off-market applications are usually pirated versions of commercial Android apps, so users should be suspicious if they are offered free copies of apps that normally cost money.

The IBM team also tested nearly 700 Websites and discovered 40 percent contained client-side JavaScript vulnerabilities. The increase in mobile threats in the first half of 2011 was matched by a decrease in the number of Web application vulnerabilities found over the same period, according to IBM X-Force.

Web vulnerabilities decreased from 49 percent of all vulnerability disclosures to 37 percent in the first half of 2011. This is the first such drop observed in the last five years, according to X-Force. The number of high and critical flaws in Web browsers was also at the lowest point since 2007.