After several years of experts commenting publicly that the mobile malware epidemic predicted by some security vendors a few years back had likely been far overstated, more and more researchers are now getting back on the bandwagon.
I’m left wondering to what extent the problem is real today, or if it is merely something we need to care more about looking forward.
I remember sitting down for an interview with F-Secure’s Mikko Hypponen — one of the most respected mobile security experts on the planet — about a year and a half ago at a USENIX conference here in Boston and being rather shocked that he had begun scaling back his own predictions regarding mobile threats.
The ability of carriers and phone vendors to lock down their ecosystems, and the sheer variety of wireless device operating systems on the market, simply hadn’t made it viable for attackers to begin actively targeting handhelds to any great extent at that point, around mid-2006, he told me.
This was a bit shocking as, while not a doomsday type, Hypponen and his fellow researchers at F-Secure were among the most vocal parties in terms of evangelizing the need for stronger mobile AV at the time. But, as our conversation came to a close, the expert made one last point — that the rise of Web-based mobile applications and downloads would someday make the potential threat a reality.
And some experts are now saying that the time has arrived, or will soon.
Adding fuel to a fire touched off by researchers at Trend Micro about a month ago — when experts at the AV giant pointed to the emergence of the WINCE_CRYPTIC.A malware variant that targets Windows Mobile phones as evidence of growing activity in the field — a new report issued by researchers at Unstrung Insider, and backed by trade pub Light Reading, makes an aggressive call for more advanced wireless AV based on the rise of smartphones, and in particular all the Web-based applications and downloads frequently used by owners of such devices.
And, in a leap back to the conversations that people were having several years ago, experts with the company claim that mobile OS software is finally becoming ubiquitous and attractive enough for the bad guys to take notice and craft more threats aimed at compromising the systems.
“Mobile malware threats are on the rise, especially as smartphones increase in popularity, because smartphone operating systems are a primary malware target,” writes Denise Culver, a research analyst with Unstrung Insider who authored the paper.
“Mobile malware security vendors are preparing for wide-scale attacks by hackers — attacks that eventually will be as headline grabbing as those that hit email systems. Their hope is that smartphone manufacturers, carriers, and enterprises — not to mention smartphone users — will not wait until the threats have reached that level before securing their mobile systems,” Culver said.
Now, I haven’t read the larger report, and they likely try to keep the juiciest conclusions of their research under wraps for people willing to pay for the paper, but color me yet unconvinced. It just doesn’t seem to my eyes that we’re hearing about or seeing that many mobile malware attacks in the wild.
Now, I wouldn’t claim to be any expert in the arena, and I by no means see every attack advisory that gets published across the industry, but do we really need to be significantly more worried than we already were? Are mobile device and applications vendors failing to meet the security challenge? Are the mobile AV packages already offered by major vendors insufficient? Are large numbers of attackers really building viable mobile exploits?
I do believe that this is a problem that will grow as Web-based mobile apps continue to proliferate, and perhaps that’s all this report is trying to say. Everyone involved needs to be conscious of the potential for problems and adhere to the security habits we’ve adopted to keep PCs safer from online threats … but it still seems early in the game to me to sound the big foghorn and send people scrambling for cover.
Am I foolish to have reached this conclusion? I’m going to go play Skulls on my Symbian now.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.