Mobile Malware Isn’t So Bad, For Now

This weekend a Swiss computer security researcher released an application designed to demonstrated the kind of personal information that a malicious iPhone application could potentially harvest personal from unwary users (pdf). The disclosure came just two weeks after the first truly malicious iPhone worm was released for jailbroken iPhones.

So, are we’re on the brink of a mobile malware pandemic?

Not necessarily, says MikkoHypponen, chief research officer for the Internet security company F-Secure, based in Helsinki, Finland. Hypponen has been collecting mobile malware specimens for the past 10 years. His count, so far, is 454 mobile viruses and Trojans since 2004. And, despite many security experts predicting that serious attacks against mobile devices are inevitable, Hypponen has observed the opposite trend. “Instead of getting worse, malware on mobile devices has been slowing down over the past two years,” he says.

The main reason, Hypponen suggests, is that most phone platforms exercise more control over the applications they run than desktop computers do. For example, mandatory application signing for the iPhone means that programs can’t run without authorization from Apple. Android’s open platform doesn’t use mandatory signing, but Google has designed a new security model for the operating system to minimize the damage that can be done by a malicious application.

Hypponen also believes that fragmentation in the phone market has hindered malware writers so far: no single mobile operating system dominates the way Windows does on the desktop, so it’s hard for virus writers to know where to focus their efforts. Furthermore, he says, far fewer people have the sort of low-level knowledge of specific mobile devices that’s needed to create successful malware.

However, Hypponen notes that the malware observed so far requires a user to install something malicious, instead of exploiting a vulnerability in the operating system itself. The real danger, he says, is when malware authors discover ways to attack a mobile device without that level of user participation.

“When that happens,” Hypponen says, “everything we know about mobile malware will have changed.”