Mobile Malware Isn’t So Bad, For Now
Cell phones remain less vulnerable than PCs, but for how long?
This
weekend a Swiss computer security researcher released an application designed to demonstrated the kind of personal information that a malicious iPhone application
could potentially harvest personal from unwary users (pdf). The disclosure came
just two weeks after the
first truly malicious iPhone worm was released for jailbroken iPhones.
So,
are we’re on the brink of a mobile malware pandemic?
Not
necessarily, says MikkoHypponen, chief research officer for the Internet security
company F-Secure, based in Helsinki,
Finland. Hypponen has been collecting mobile malware specimens for the past 10
years. His count, so far, is 454 mobile viruses and Trojans since 2004. And, despite many security experts predicting that serious attacks against mobile devices are inevitable,
Hypponen has observed the opposite trend. “Instead of getting worse,
malware on mobile devices has been slowing down over the past two years,”
he says.
This story is only available to subscribers.
Don’t settle for half the story.
Get paywall-free access to technology news for the here and now.
Subscribe now
Already a subscriber?
Sign in
You’ve read all your free stories.
MIT Technology Review provides an
intelligent and independent filter for the
flood of information about technology.
Subscribe now
Already a subscriber?
Sign in
The
main reason, Hypponen suggests, is that most phone platforms exercise more
control over the applications they run than desktop computers do. For example, mandatory application
signing for the iPhone means that programs can’t run without authorization from
Apple. Android’s open platform
doesn’t use mandatory signing, but Google has designed a new security model for the operating system
to minimize the damage that can be done by a malicious application.
Hypponen
also believes that fragmentation in the phone market has hindered malware
writers so far: no single mobile operating system dominates the
way Windows does on the desktop, so it’s hard for virus writers to know where
to focus their efforts. Furthermore, he says, far fewer people have the sort of
low-level knowledge of specific mobile devices that’s needed to create successful
malware.
However, Hypponen
notes that the malware observed so far requires a user to install something
malicious, instead of exploiting a vulnerability in the operating system
itself. The real danger, he says, is
when malware authors discover ways to attack a mobile device without that level
of user participation.
“When
that happens,” Hypponen says, “everything we know about mobile
malware will have changed.”