Smart phone-based malware attacks are one of those "next big thing" things we see in the security industry every...
year. In 2004, Gartner's John Pescatore predicted that by 2006 cell phone viruses would be as big a problem as they are for PCs. Last year, 20 leading security figures predicted the rise of cell phone worms would be among the top 10 security developments for 2007.
Still waiting. While we've seen a relative handful of cell phone nasties, mostly for the popular Symbian OS, from the Cabir worm in 2004 to Beselo, early this year, we've yet to see the general escalation that security vendors (no surprise) and many independent security experts have believed--and still believe--is coming.
There are some technical impediments, but the primary reason seems to be the lack of good business opportunities--for the bad guys. While criminals are doing a landslide business exploiting PC users who bank, shop and conduct business on the Internet, cell phone malware remains in what Ed Skoudis, co-founder and Senior Security Consultant with Intelguardians, calls the "hobbyist" stage.
"It's kind of like the Love Bug, or Melissa, back in the day," said Skoudis. "The move from a hobbyist game to serious cybercrime is a matter of finding a business model that makes sense."
That model just isn't there now. It may well emerge, but even vendors trying to sell mobile antimalware software concede that smart phones just aren't fertile hunting grounds. With the exception of countries like Japan, where using smart phones to conduct online business is a way of life, people in the U.S. and Europe stick to their laptops and desktops, and that's where criminals are depositing Trojans, keyloggers and bots.
"The main reason the bad guys are not going into mobile at the moment is that they are more than successful on normal machines," said Roel Schouwenberg, senior anti-virus researcher for Kaspersky Labs. "There's little reason to invest lots of time and money into the mobile area while the desktop is there for the taking."
"They're making tons of money on PCs," said Patrik Runald, Security response manager for F-Secure's security labs. "They haven't even started doing something similar for the mobile space."
Moreover, the cell phone market is split among a number of platforms--Symbian, Windows Mobile, BlackBerry, some Linux flavors, and now Apple and the coming Google Android, etc. The PC market is overwhelmingly Windows-based, the growing interest in Mac laptops notwithstanding.
"There is no mobile monoculture, no dominant OS on mobile phones, and the trend is not to less mobile operating systems; the trend is to more," said analyst Andrew Jaquith, a program manager at Boston-based Yankee Group. "None of those mobile OSes are ever going to get 90% or 95% market share; none of them will get 70%. If you are a mobile malware author, why would you even bother?"
Further, mobile phone devices are technology-challenged. They're a much more limited platform than PCs, presenting challenges to malware authors and legitimate developers alike. While desktops and laptops run at higher and higher Ghz rates with two or even four gigs of RAM, mobile phones chug along at maybe 400 Mhz with perhaps 512 MBs of RAM. If malware can bog down even on a fast PC as it gobbles up CPUs, think about running it on a smart phone. That takes some pretty sophisticated coding, and today's malware authors, spoiled by writing code for robust computers, may not be equal to the task.
"The bad guys have gotten used to being sloppy , they don't care if their code is efficient, because they have so many CPU cycles," said Skoudis. "Malware writers of 10 years ago understood the value of efficiency in writing tight code. Some of the viruses were just works of art in their minimalist nature and high functionality."
And the sundry mobile platforms are generally more secure by design. Development on PCs is pretty wide open. You don't have to sign code, or go through a particular vendor to distribute your apps. "On a general purpose PC with a microprocessor, and an OS and a lot of libraries, you can pretty much run whatever you want," observed Jaquith.
Most mobile platforms, by contrast, require digital signatures and integrity checking of payloads, what Jaquith describes as more of a "classic managed code model." And, software development tools are not all that good yet, whether you wear a white hat or a black hat.
That's changing, as we're seeing early moves towards open development platforms, such as the Google-driven Open Handset Alliance (OHA) and the coming open Android system. Open APIs and SDKs facilitate development and distribution of business and consumer applications, but they could also give malware writers easy access to create code that exploits mobile devices—if and when they find it worth they're while to do so.
While the Android implementation remains to be seen, there's some legitimate concern around the security of the wildly popular Apple iPhone. Security on the iPhone , which runs a stripped down version of OS X, rather than a purpose-built cell phone OS, is trivial compared with, say, BlackBerry, which has numerous security protections and policies.
"The iPhone feels like it's being secured as we go along," said F-Secure's Runald.
Apple, he says, allows developers to sign their own applications and upload them for distribution. If a particular app starts drawing fire, they can revoke the certificate. By contrast, Symbian requires developers to get their apps signed by Symbian before they are distributed.
Security aside, the iPhone's rapid growth and "cool factor" might be what pushes smart phone users to do more online and finally draw serious attention from the criminal underground. The upcoming 2.0 version of its software features MS Exchange integration, better email and calendar features and Cisco IPSec VPN support.
"This might be the icebreaker that starts enterprises using the mobile device as a business tool," said Runald. "I wouldn't be surprised if a lot of banks come out with a mobile banking application or shopping sites come up with special versions for the iPhone."
So, the question remains, will users start, to do more on their smart phones, and will smart phones finally become a major vector for malware? Vendors, not surprisingly, insist it will.
"There's no doubt in my in my mind it will happen," said Runald. "As mobile users start to use the mobile devices as a miniature PC, start to do regular Internet activities, that's when we will start seeing professional threats."
Kasperky's Schouwenberg agrees that "as soon as we all start to use mobiles to do Internet banking and maybe leave our notebook behind," smart phones will start attracting serious criminal attention.
But Yankee's Jaquith thinks this is mostly vendor hyperbole.
"I don't think there is a market for this stuff," he said. "Just because you can point to one example [of malware] on one phone operating system, doesn't mean you are going to have a pandemic tomorrow."
Intelguardians' Skoudis doesn't see any interest in cell phone antimalware software--for now, but he believes that this will change.
"Devices will get more powerful, there will be more plentiful software development tools, and people will use them more for money valued transactions, making them a more attractive target," he said. "Put all three together, and I think it's inevitable we'll get there. We're just not there yet."