The iPhone SMS attack demonstrated this week at Black Hat shined a legitimate spotlight on something that has historically been the subject of more than a little FUD – smartphone security.
For the past few years, security companies have tried to sell enterprises on the idea that they needed to be worried about smartphone security. The problem is that, at least in the U.S., there hasn’t been any massive malware outbreak on the devices to cause the necessary panic to make it a must-have. So while there are plenty of third-party security vendors offering anti-malware protection for smartphones, the market for the technology has not really lived up to the hype.
“Mobile phones will surely have security problems,” said Andrew Jaquith, an analyst with Forrester Research. “But for the most part the attacks we are likely to see lots of (SMS spamming, for example) are really attacks on people, not phones. And for that, you don’t need software, just half-decent carrier filtering and alert users.”
Even a recent study from SMobile Systems, which boldly claimed nearly one out of every 63 smartphones running Symbian is infected with malware, has been met with skepticism. As Symbian notes here, the claim was based on a sample of just 1,958 that were registered with SMobile’s anti-malware service – a drop in the bucket in terms of the millions of Symbian-based phones in use.
There are a couple of different reasons malware hasn’t really hit smartphones like it has PCs. One is heterogeneity – there are a number of different operating systems used by smartphone users. A second is that PCs generally remain a much more profitable target for cyber-crooks. Yet another reason, as Jaquith pointed out here in a blog post last year when he was with the Yankee Group, is that most mobile operating systems require a digital signature to run a third-party application.
Of course that last reason did not help in the case of the Sexy View Trojan, which somehow slipped through Symbian’s security review process and got the thumbs up. As it turns out, the malware was armed with botnet-like capabilities, and was designed to send data out to Websites. You can read Matt Hines’ write-up about that here.
At Black Hat, other researchers poked holes in the security of Google Android and other mobile devices as well. In light of all this, there should be no doubt that someone will always be looking for a way to get a hold of your data and/or compromise your device – whether that machine is a desktop or mobile phone. So we should be concerned – but it may be a while before the actual threat catches up to marketing.