Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

The Mobile Malware Threat

Posted by Craig H on 5 May 2009

Last week, the BBC World Service radio programme Digital Planet included a piece on mobile phone viruses. This was based on research done at the Center for Complex Network Research (CCNR) entitled Understanding the Spreading Patterns of Mobile Phone Viruses.

Steve Litchfield of All About Symbian, pulling no punches, calls this “a load of BBC tosh” 🙂 To be fair though, I don’t particularly blame the BBC, who have simply taken journalistic license with the report’s main conclusion: “it is not unconcievable[sic] that the phase transition point will be reached in the near future, raising the possibility of major viral outbreaks.”

Unfortunately for the BBC and Professor Barabási at the CCNR, I think the research is flawed. As Mikko Hyppönen of F-Secure points out, the “paper more or less ignores the effects of technical safeguards built into modern smartphones operating systems.” I think I can help them out with that, as I have a graph demonstrating the effect of the introduction of the Symbian platform security architecture: (click it for a more readable size)

Occurrence of New Symbian Platform Malware over Time

The graph shows the number of new malware signatures discovered each month on the Symbian platform from June 2004 (when the Bluetooth worm Cabir, the first malware developed for Symbian OS, appeared) right up to last week (end of April 2009). To give a sense of perspective, that’s a total of 201 different signatures in nearly 5 years, as compared to over a million (yes, 1 000 000) new signatures on Windows PCs last year alone. The main point to note is the generally upward trend before March 2006, when the first phones including the Symbian platform security architecture started shipping (Nokia 3250 and Sony Ericsson P990i), and the generally downward trend after March 2006 as increasing numbers of phones have platform security included.

Here’s what I think is misleading about the report:

  • The title refers to “Viruses”, and yet none of the examples considered are viruses in the true sense.  If you don’t think this matters, consider that a true virus can infect a system silently and invisibly, whereas all the malware we have seen on the Symbian Platform needs to be invited in by the phone user, confirming that they really want to install it (i.e. it is properly called a “trojan”).
  • The model has a basic assumption that there are no security controls on the target phone.  As we can see from the graph, if there had been no platform security then one might extrapolate the trend, prior to 2006, into explosive growth in malware, but there is platform security and there is no such trend.
  • While acknowledging that MMS would play the biggest part in any rapid outbreak of malware on phones, the paper ignores the role of the MMSC in providing a control point for such spread.  In fact many (most?) network operators today implement filtering on their MMSCs precisely to prevent such an outbreak.

Noting all of that, I think that the general public can rest safe in the assurance that there is no inevitable mobile phone virus pandemic, and the BBC should feel at least a little embarrassed for suggesting that there is.  I’m not saying that there isn’t a threat – there is, otherwise we wouldn’t have bothered with the massive effort involved in implementing the platform security architecure in the first place – but Symbian, the phone manufacturers and the network operators are all working together to minimise that threat, and thus far I’d say we’re doing a pretty good job!

9 Responses to “The Mobile Malware Threat”

  1. Jouni said

    Thanx for the numbers, first time I’ve seen those! Platform Security really stopped the malware explosion, we can be grateful for that.

    Am I mistaken, if I interprete the stats so that there is a new curve possibly starting? While browsing some discussion forums, I’ve got a strange feeling… Popular runtimes (python, flash, wrt) and new powerful APIs (Platform Services) make people ask strange things.



    • Craig H said

      Hey Jouni! I’m reminded of the phrase required when advertising investment funds: “past performance is not necessarily a guide to future returns” 🙂 We certainly need to be alert to the possibility of new malware using new techniques to spread, and where possible we need to anticipate the bad guys by strengthening existing controls.

      I’m not worried by the current low level of malware though; we see the occasional blip (most recently with the “Yxe” worm in February) but as long as these incidents are isolated, all that tells us is that the threat is still there and we are still doing our jobs properly. If we didn’t see *any* malware we should just finish up our security efforts and go and relax on a beach in the Bahamas instead! 😉

  2. […] Craig H This morning the BBC World Service broadcast my response to their Digital Planet report on mobile malware. I’m pleased with the way it came out, thanks to Gareth Mitchell’s sympathetic […]

  3. […] security turned out to be quite well timed, as we can see from the graph in a previous post, The Mobile Malware Threat. The first malware written for Symbian OS, the Cabir worm, appeared in June 2004, and from that […]

  4. […] and S60 3rd and 5th edition phones are completely unaffected by it. As we know, there has been malware on older versions of Symbian OS, but that’s precisely why we introduced platform security in 2006, and that’s still […]

  5. […] it was a requirement for access to the more security-sensitive APIs on the platform. I’ve already explained (I hope!) why that was necessary, but it did mean that some developers who would really rather not […]

  6. […] […]

  7. […] betonte, dass die Bedrohung für Symbian-Smartphones, im Vergleich zu PCs, sehr gering sei. Allerdings war das Mobilbetriebssystem schon zuvor Ziel von Angriffen. Im Juli […]

  8. […] to return to the title of this blog post, I can confidently say there will, again, be no mobile malware pandemic in the coming year. Whether or not the BI visualisations idea pans out, the environment for mobile […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: