Slashdot Mirror
Will 2011 Be the Year of Mobile Malware?
alphadogg writes "Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes. None of those prognostications has really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users — while generally aware of threats aimed at their desktop computers and laptops — have a good chance of being caught flat-footed with their mobile phones. In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 percent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Experts say the threats against those devices are going to come in several categories, including rogue applications. In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions."
Oh I can think of a couple
Albeit, Jailbroken iPhones are less Secure than... umm... whats the term for that? Non-jailbroken? Jailfixed? StillJailed? Anyways.
Point is that some people have started writing malicious software for phones, its becoming glaringly obvious.
What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.
Who is to say a lot of phones are infected but no one yet knows. I bet most users, if their email was compromised, would assume they were hacked via a computer, not tracked via their phone, which could easily be the case.
It is possible that 2011 might be a year in which there could be some unspecified increase in what could loosely be termed malware that might be targeted in whole or in part to infect certain devices that might be considered mobile devices under certain definitions of mobile or device.
If you feel you have to lead off with a statement that your prediction is essentially the same one you've been making for the past six years and it has yet come true, maybe you should leave off setting a deadline for the thing.
"Sacrifice for the good of The State" - The State
No, it won't.
This. Anytime you spot the formula "Will 'x' be the Year of 'y'" - particularly on slashdot - the answer is ALWAYS no. I think it has to do with that particular phrasing. Nobody ever seems to ask 'Will 2011 be the Year of 365 days' or something similar. It's always outlandish...
... because it will be the Year of the Linux Desktop (tm)(r)(c)!
I doubt this is going to be a repeat of Windows, where a combination of massive marketshare and blatant negligence on the part of Microsoft led to an epidemic of worms.
But, there's also a very real threat, even on systems like iOS where users and even Apple assume that they have control of the platform, hackers prove them wrong constantly.
For instance a month or 2 back, jailbreakers were able to just visit a website through mobile safari and execute one exploit after another to compromise the entire system and install unapproved software like Cydia. That's a rare alignment of exploits, but who can really say it won't happen again via a malicious attacker?
I seem to recall a similar prognoses at the end of last year. Seems not to have happened. I suspect the trend will continue.
the Windows Mobile aka WinPhone will really take off in 2011
I went to battle M.C. Escher, but drew a blank.
Nokia 2115i. It makes calls and sends texts. That's it. Not even internet access or a camera. (Though it does have a flashlight.) No need to fear viruses or spyware.
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
... rampant blogosphere speculation about everything. Just like the year before it.
year of...
Year Of...
YEAR OF!!!!
Holy crap, get over it! Stuff will happen next year. Some of that stuff will be expected. Of that expected stuff, some will live live up to expectations while the other will not. And there will be surprises!
2011 will be the Two thousand eleventh Year of the Common Era/Anno Domini.
"The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions."
So that thing can be used for banking too? Huh, I'll tell my wife....
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
It's been on MY desktop since 199x!
and as smart phones become more powerful more people use them for actual work. I have worked on many mobile apps that are used for on site surveys, audits, and other data collection. My own opinion of the value of that data isn't really very high, but i know my clients would freak out if their iphones crashed and the data was lost. In that event, i would say, "well I tell you to upload the data on a regular basis and it should be in your most recent backup, you do back up your phone, right?"
I know sales people who's contact list IS their life. I've become reliant on the iphone app 1Password to store my passwords. I have a number of drawings in audodesk sketchbook i wouldn't want to lose. Now, i back my shit up. Anything that brings down my phone is likely only a minor inconvenience, but there are plenty of people who could be seriously affected. The real question should be is 2011 the year when smart phones become so important that malware is a real threat?
do you know how hard I worked on my Angry Birds scores?
Quit doing it wrong. I had a storm for a year and a half and aside from the time it took to perform routine software updates it was hassle-free as a phone, media player, and everything else.
My brief foray in android led me to believe those non-marketplace apps often had memory leaks and slowed my phone down considerably.
if you don't know your banking password or have it stored on your phone, you're doing it wrong. google docs auto-saves frequently and is "cloud" based so you'll lose very little. online store passwords are easily recoverable. you haven't really negated the original post's points.
It doesn't really matter since passwords are already the weakest link in online security.
2011 is the year of Linux on netbooks. Or was that desktops. Anyway, I'm sure its a year of something linux related...
"...and passwords for your bank, online stores, Google (Docs (where you're writing your half-finished novel))..."
That sort of fuckup could be regarded as "LARTing by events". I don't leave passwords or important work on my phone. Ever.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I know :) but I just had to comment anyway :)
Our apps are already watching us beyond what we've authorized. How is that not malware?
Stop the brainwash
How can I install a firewall and AV software on my iPhone 3gs ?
I've unlocked and jailbroken it so I can customize it MY way and use it on the carrier of MY choice but I really want more than just a wink and a promise from Apple that I'm safe.
http://blogs.mcafee.com/mcafee-labs/windows-mobile-trojan-sends-unauthorized-information-and-leaves-device-vulnerable
it is possible but it is not like the market of Windows PCs has shrunken significantly so there's plenty to continue feeding on there as opposed to trying to attack low resource embedded devices like phones.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Malware is profitable when it can infect a huge number of systems. Without a monoculture of mobile operating systems malware isn't profitable enough to develop.
No, but X will be the year of poorly written and poorly researched trade magazine articles about Y.
Go green: turn off your refrigerator.
didn't they ask us this last year? This question feels awfully familiar...
It doesn't really matter since passwords are already the weakest link in online security.
It's not that type of password. You are already logged in to your banking site using username and password. Then you decide to send money to someone, and one of the ways of doing 2-factor authentication available to you is to have the bank send you a 1-time password by SMS, which you then type into the computer. The one-time password is bound to the specific transaction you were requesting, and the sms contains some information about the transaction (like the destination account number and amount), so if the account number or amount is not what you wanted you know something is wrong.
So unless the bad guys have malware on your phone AND on your pc, they can't steal your money.
Of course, this is in europe. In the US two-factor authentication means password+"what is your mother's maiden name". And no, this is not a random anti-american rant. Most US banks still do not have 2-factor authentication, while all that I know of in europe do, in some form or another. Also, a security guy from a US bank I spoke to at a conference told me they don't do two factor authentication because users don't want to remember more passwords (thus proving he does not understand what is 2-factor authentication). Also, he said that when you want to do something "suspicious" like sending money to a new destination, they start to ask you security questions (like "what is your mother's maiden name").
I just installed Hero of Sparta, non-market place game for free. I swear, that's the last non-market place app I'll install on my phone.
Why, did it change your restaurant finding apps to only show "Hell" as an option for dining? ;)
Comment removed based on user account deletion
But not for the reasons given. If you go to light in a box and browse all the android 2.1 pads for sale, all of them warn you not to attempt to re-install or change the OS. this warning is not given for some propriatary reason but simply because there is no assure path to a perfectly safe re-install of the android software and drivers.
Thus there are going to ba a gazillion android pads walking around that cannot be patched. It's a safe bet there are security holes to be discovered in this. Once that happens it's going to be like windows has been with the sea of mobile zombies.
The iphones are different. You are constantly offered updates. (which brings up the problem with jailbreaking-- you can't update easily for fear of busting the jailbreak.)
Now phones may be a different matter. If the phone companies are able to push updates it may be a lot safer.
Some drink at the fountain of knowledge. Others just gargle.
I feel confused. Hey, if you're at it make it the year of reading too.
Thought slowdown and increased battery consumption were the cost of using non-market applications.
With bad things, a year of the "foo" can happen, such as (IIRC) 2000 when the E-mail based worms slammed Windows networks, or 1994 when USENET was hit by the spam heard around the world. Those are times when the first salvo is fired starting the conflict in earnest (1994 when the spammers and cancelbots started, and 2000 when malware went from "just" the pirate scene to being able to wind up on anybody's desktop anywhere.)
Right now, malware is relatively rare on phones. However, there are things which are easy money if malware does get a foothold. Dialers for instance -- the old scourge of people who used the Internet before broadband. There is easy money to be made if malware gets a device to spam a SMS service for $10.00 per message.
There is one double-edged sword which both cuts at the freedom of the end user of cellphones and the malware writers -- hardware can change easily between iterations of a phone, while the PC architecture has to remain compatible back to the early 80s and MS-DOS applications. For example, outside of where the iOS apps have their jails, iOS can essentially do anything it wants to, and the apps don't/can't care. Same with Android and the /system directory.
So, the same precautions that can keep malware from accessing the machine can also keep a machine locked down.
Not only that, but 2012 will be the Year of the Linux Desktop also. And that is not a contradiction
It is the year of the Linux desktop.
It has always been the year of the Linux desktop.
This. Anytime you spot the formula "Will 'x' be the Year of 'y'" - particularly on slashdot - the answer is ALWAYS no. I think it has to do with that particular phrasing. Nobody ever seems to ask 'Will 2011 be the Year of 365 days' or something similar. It's always outlandish...
Another tell is any time you spot reference to Gartner, you can pretty much stop reading.
Its a race between Gartner and JD Power and Asshats to see who can provide the best cooked analysis and micro-category awards that money can buy.
Sig Battery depleted. Reverting to safe mode.
Its not about losing work to a systems crash or phone splash down in the toilet bowl.
Its about content being stolen by malware.
Sig Battery depleted. Reverting to safe mode.
Advanced operating systems are maintained in such a way that they don't run malware, for example, they are updated automatically so regularly that there is a disincentive to create malware, same as you get rid of graffiti with a regimen of immediately painting it over. Mac OS and iOS, for example. It's the not-advanced operating systems which are easy targets, graffiti magnets.
I don't leave passwords or important work on my phone. Ever.
Well you will. So get used to it.
Probably they will be in an encrypted password vault, dozens of which are available for Android or iPhone.
Your credit cards will be moving to the phone. Tap to pay terminals are springing up everywhere. Near Field Communication chips are being introduced into cell phones. They are already HUGE in Japan.
You will still need to password enable payment, but you won't be carrying a wallet full of risky credit cards in the future.
And those digital car keys? The rush to push button ignition is just to prep you for that being triggered by the presence of your phone as well.
Its all going into the phone, my friend, so get use to it.
The Amish won't use Electricity. Don't be that guy.
Sig Battery depleted. Reverting to safe mode.
Will 2011 be the year Windows kills off OSX and Linux and Microsoft takes control of the mobile market? Oh, the 2nd prompts the original suggestion: year of mobile malware.....
"Well you will. So get used to it."
Asserted conclusions /= proof.
"Probably they will be in an encrypted password vault, dozens of which are available for Android or iPhone."
Mine will be unused.
"Your credit cards will be moving to the phone. Tap to pay terminals are springing up everywhere. Near Field Communication chips are being introduced into cell phones. They are already HUGE in Japan."
I give a shit what is HUGE in Japan?
"You will still need to password enable payment, but you won't be carrying a wallet full of risky credit cards in the future."
I don't carry a wallet full of risky credit cards NOW. One card, that's it. No debit cards, which I will not have.
"And those digital car keys? The rush to push button ignition is just to prep you for that being triggered by the presence of your phone as well."
I'm a mechanic. If my old PATS system annoys me the PCM will be flashed with a "PATS delete", No problem
"Its all going into the phone, my friend, so get use to it."
I welcome other folks getting used to it. I spent my life learning how to make most of the tech I use serve me and see no reason to stop.
"The Amish won't use Electricity. Don't be that guy."
Blind technophilia /= "Amish".
One may choose from a wide variety of tech in ones personal life, Amish tech or computing tech any anything in-between.
It's all about "serving me". MY convenience, MY wants, not the wants of marketroids. OTHER people exist for them to fuck, which is fine with me.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Will 2011 be the Year of the Rabbit according to the Chinese zodiac? Yes, yes it will! Having been born in the year of the rabbit some multiple of 12 years ago, I expect 2011 to be particularly auspicious.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
SMBC's new rule for science journalism.
Current_year = n
Year_of_Linux_Desktop = N+1
By this reasoning, we are only 1 year away! I can already see everyone I know switching their PIII computers from XP to Debian or Gentoo!
"To prevent this day from getting any worse, I'll just read ERROR as GOOD THING" 1GJU8xLuDKDxEs4KLf8fAGyptoDsqvEsBT
I've used Nokias exclusively for the last 6 years. S60 2nd edition allowed you to install any apps from anywhere, and there were quite a few trojans and other apps written for it, around 2004-05. .SIS file) and then install it.
S60 3rd edition made it harder to do so by requiring all apps to be signed by Symbian, and earlier they only gave out certificates to companies rather than individuals. Nevertheless, there were (are) ways to self sign an install package (a
Even then - the phone warns you that the application is not signed, so there's no way anything can silently install itself without user intervention.
The second most common vector for exploits is the browser. No matter what short sighted US tech blogs may say - Symbian is the world's most widely used OS, with over 2 billion devices sold to date. How come we haven't yet seen a browser based exploit for the internal Webkit browser?
A google search for 'Symbian 3rd edition malware' shows up hardly one or two examples - and reading the descriptions, they rely on social engineering to fool the user into getting installed.
The same rules apply as on desktop OSes - namely not to open/install unknown applications etc. What would be worrisome would be a browser exploit, where just visiting a link can compromise your phone, or some sort of silently installed malware. The former has yet to be proved and the latter can only happen through (all too common) user stupidity, so this leads me to conclude that Symbian at least is safe for the present.
Also bear in mind that Nokia pushes out firmware updates much more regularly than other phone manufacturers; even upto 2 years after launch (the 5800 Xpressmusic is a case in point), so you can expect security fixes, if found, to be available faster. Sucks to be in the US with a carrier subsidized handset though.
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
With PC sales on decline they are looking for new markets. They crying wolf for several years already. That kind of FUD provoked Nokia to introduce digital signing for Symbian OS apps, which effectively killed developers community. That caused Symbian OS becoming increasingly irrelevant and eventually caused its death(or at least zombification). Which in turn destabilized Nokia position and could be cause of the death of Nokia itself.
...had malware years ago, but they introduced measures to stamp them out. This was the move from Symbian 7 to Symbian 8. IINM, this was the reason for the introduction of capabilities.
Max.