Franklin Heath Ltd

Master Your Information Assets

  • Categories

  • Meta

2011: Not the Year of Mobile Malware

Posted by Craig H on 30 December 2010

It’s nearly New Year, so it’s time for the usual “Next year will be the year of mobile malware” posts from companies trying to sell you PC-style anti-virus products. They’ve been saying this every year for 5 years now, and it still hasn’t happened because, very simply, phones aren’t PCs.

There are many control points which exist for phone software but not for PCs:

  1. Software has to be explicitly installed before it can run
  2. Applications are usually sandboxed or run with limited privileges
  3. Applications are typically reviewed before publication (by app stores or signing schemes)
  4. The channels by which malware could spread most widely are managed networks
  5. Rogue applications can be recalled (revocation or kill switches)

Of course, none of these control points completely prevents malware, but there is considerable defence in depth. For the first two controls above we rely on the phone firmware, so if and when flaws are found the bad guys can exploit them for as long as the flaw remains unpatched. The other three measures, however, involve human intelligence responding to threats, and this is where the landscape is greatly different from PCs.

One of the inevitable truths of the malware industry is that there are many attackers, and some of them are quite clever. We have seen this in the last year, especially in China where control 3 doesn’t generally apply (there is, let’s say, a “freeware” culture where applications are typically downloaded from file sharing sites). Express Signed for Symbian allows applications to be distributed without waiting for human review (a percentage of submissions are audited after the fact, but there is always a backlog, and by the time abuse of an account has been identified the malware will already have been in the wild, sometimes for weeks).

Automated checks to filter out suspicious submissions can be, and have been, put in place but it’s usually a matter of days before the attackers figure out how to get around them; as Bruce Schneier often points out (albeit in another context) simply responding to the tactics of the last attack is not effective at addressing the underlying threat.

There is a need and an opportunity here. We need to deploy human intelligence in defence to counter the human intelligence of the attackers, but as we have experienced, there are many more attackers than defenders; it’s simply not feasible for someone to examine every version of every phone application to decide whether it’s malicious or not. The need is to magnify the effectiveness of the defenders by making it easier for them to do what humans do best: spot patterns.

The opportunity I see is to take advantage of Business Intelligence (BI) techniques to create visualisations of data about the large numbers of applications submitted to certification schemes, which would allow likely trends and anomalies in the submissions to be identified and then selected for further scrutiny. I’m quite excited about this, as it’s an ideal area for my wife’s and my new business, her area of expertise being BI, and mine being mobile device and information security (as I hope regular readers will already have spotted ;-))

So, to return to the title of this blog post, I can confidently say there will, again, be no mobile malware pandemic in the coming year. Whether or not the BI visualisations idea pans out, the environment for mobile phone malware still has the control points which enable an effective response to new threats in a way that the environment for PCs does not. We, the good guys, will be staying vigilant, so we wish you all a happy, prosperous and secure new year 🙂

2 Responses to “2011: Not the Year of Mobile Malware”

  1. […] When we discussed malware at the Barcamp, I claimed (live and on Twitter) that static analysis could be effective, and it seems that not everybody agreed with me, in particular Craig Heath, although we reach similar conclusions about mobile malware in 2011. […]

  2. Stuart said

    A couple of other points I think are relevant.
    1. The intermediation of mobile networks. So when you purchase a PC, you generally don’t do that from the network provider, and faults (and malware) are not a concern for the network operator. They get paid whether your PC is working or not. With phones the Mobile operator will loose call revenue if you cant use your phone, so there is an incentive for then to make sure that your device is working. Malware such as cabire failed to spread partly because of mobile operators closeting down on MMS infection vector.
    2. The mobile ecosystem is much more diverse that the PC one. With 90% windows on PCs that chance of a randomly chased IP address in proximity to an infected system is exploitable windows PC is much greater. Although the recent dominance of Android, the installed base is still pretty diverse, Symbian still has 40% of the installed base.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: