2011: Not the Year of Mobile Malware
Posted by Craig H on 30 December 2010
It’s nearly New Year, so it’s time for the usual “Next year will be the year of mobile malware” posts from companies trying to sell you PC-style anti-virus products. They’ve been saying this every year for 5 years now, and it still hasn’t happened because, very simply, phones aren’t PCs.
There are many control points which exist for phone software but not for PCs:
- Software has to be explicitly installed before it can run
- Applications are usually sandboxed or run with limited privileges
- Applications are typically reviewed before publication (by app stores or signing schemes)
- The channels by which malware could spread most widely are managed networks
- Rogue applications can be recalled (revocation or kill switches)
Of course, none of these control points completely prevents malware, but there is considerable defence in depth. For the first two controls above we rely on the phone firmware, so if and when flaws are found the bad guys can exploit them for as long as the flaw remains unpatched. The other three measures, however, involve human intelligence responding to threats, and this is where the landscape is greatly different from PCs.
One of the inevitable truths of the malware industry is that there are many attackers, and some of them are quite clever. We have seen this in the last year, especially in China where control 3 doesn’t generally apply (there is, let’s say, a “freeware” culture where applications are typically downloaded from file sharing sites). Express Signed for Symbian allows applications to be distributed without waiting for human review (a percentage of submissions are audited after the fact, but there is always a backlog, and by the time abuse of an account has been identified the malware will already have been in the wild, sometimes for weeks).
Automated checks to filter out suspicious submissions can be, and have been, put in place but it’s usually a matter of days before the attackers figure out how to get around them; as Bruce Schneier often points out (albeit in another context) simply responding to the tactics of the last attack is not effective at addressing the underlying threat.
There is a need and an opportunity here. We need to deploy human intelligence in defence to counter the human intelligence of the attackers, but as we have experienced, there are many more attackers than defenders; it’s simply not feasible for someone to examine every version of every phone application to decide whether it’s malicious or not. The need is to magnify the effectiveness of the defenders by making it easier for them to do what humans do best: spot patterns.
The opportunity I see is to take advantage of Business Intelligence (BI) techniques to create visualisations of data about the large numbers of applications submitted to certification schemes, which would allow likely trends and anomalies in the submissions to be identified and then selected for further scrutiny. I’m quite excited about this, as it’s an ideal area for my wife’s and my new business, her area of expertise being BI, and mine being mobile device and information security (as I hope regular readers will already have spotted ;-))
So, to return to the title of this blog post, I can confidently say there will, again, be no mobile malware pandemic in the coming year. Whether or not the BI visualisations idea pans out, the environment for mobile phone malware still has the control points which enable an effective response to new threats in a way that the environment for PCs does not. We, the good guys, will be staying vigilant, so we wish you all a happy, prosperous and secure new year