Will 2011 Be the Year of Mobile Malware?

alphadogg writes "Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes. None of those prognostications has really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users — while generally aware of threats aimed at their desktop computers and laptops — have a good chance of being caught flat-footed with their mobile phones. In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 percent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Experts say the threats against those devices are going to come in several categories, including rogue applications. In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions."

Maybe it might could

[Hijacked+Public]

It is possible that 2011 might be a year in which there could be some unspecified increase in what could loosely be termed malware that might be targeted in whole or in part to infect certain devices that might be considered mobile devices under certain definitions of mobile or device.

If you feel you have to lead off with a statement that your prediction is essentially the same one you've been making for the past six years and it has yet come true, maybe you should leave off setting a deadline for the thing.

Not really

[Artem+S.+Tashkinov]

I haven't read the article but the summary seems to be somewhat exaggerated:

• Mobile phones (OS) don't have any form of autorun
• You cannot run .exe/.cmd/.com/.lnk attachment from e-mail
• A lot of users still ... don't ever install a single extra app, and use their smartphone only as a contact list manager, calender and alarm clock
• Unless Apple/Google becomes careless it's hard to believe that malware authors can (frequently) penetrate their app stores
• There is still some variety: iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once - so outbreaks are hardly possible

Re:Not really

[Monkeedude1212]

The first two are irrelevant.

The remaining points can all be made irrelevant by the website that will jailbreak your iPhone using a PDF, all you have to do is swipe.

Clearly there are some exploits you can hide to open up someone's Phone.

Re:Not really

[Abcd1234]

Mobile phones (OS) don't have any form of autorun

So?

You cannot run .exe/.cmd/.com/.lnk attachment from e-mail

Correct. On the iPhone, you just had to visit a *website*, ffs.

Seriously, this statement is beyond short-sighted. It's one zero-day vulnerability from being completely false.

A lot of users still ... don't ever install a single extra app

Again, who cares? All you need is a hole in one of the stock apps, and voila, users are hosed. Moreover, given how slow mobile phone operators are in updating the OSes on their network (the Android situation being the most obvious), a vulnerability like that could be a) near universal, and b) very slow to close.

Unless Apple/Google becomes careless it's hard to believe that malware authors can (frequently) penetrate their app stores

See above. This point is, well, pointless.

There is still some variety: iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once - so outbreaks are hardly possible

Please... you need only target one of those platforms to hit millions and millions of people. That's by far lucrative enough to make it worthwhile.

Frankly, I think the only reason you haven't seen this yet is because most malware is directed at turning a machine into a zombie, something for which a mobile device isn't that useful. But the minute someone can, for example, break an iOS device or Android device and start snarfing passwords, it'll become a far more interesting target.

Re:None have come to fruition?

[BobMcD]

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Go wash your mouth out with soap, right now!

Can you imagine how god-awful slow people's phones will become after installing Norton Mobile 2011? And I bet the 'uninstall' process involves reflashing the device, too.

Please no, for the love of all smartphones everywhere, please DO NOT speak this 'solution' out loud where others might hear it. If you speak it's name you give it power, after all...

Are you suggesting that...

[Fibe-Piper]

the Windows Mobile aka WinPhone will really take off in 2011

Re:None have come to fruition?

[jeffmeden]

What we don't have is people focused on finding, removing, and spouting a product yet like Norton/McAffee/AVG/whatever.

Oh we don't, do we?

DIE

[mark72005]

do you know how hard I worked on my Angry Birds scores?

Re:Who cares?

if you don't know your banking password or have it stored on your phone, you're doing it wrong. google docs auto-saves frequently and is "cloud" based so you'll lose very little. online store passwords are easily recoverable. you haven't really negated the original post's points.

Re:Who cares?

[couchslug]

"...and passwords for your bank, online stores, Google (Docs (where you're writing your half-finished novel))..."

That sort of fuckup could be regarded as "LARTing by events". I don't leave passwords or important work on my phone. Ever.

Re:None have come to fruition?

[causality]

I don't see how BloatwareSecuritySuitExtreme 2011 would ever be necessary.

Since when did marketers ever care about whether you actually need whatever product they're hawking?

Windows has already trained most of the public to perceive virus scanners as essential system tools.

Already happening!

[Jeppe+Salvesen]

Our apps are already watching us beyond what we've authorized. How is that not malware?

Re:Nope

[characterZer0]

Will X be the year of Y?

No, but X will be the year of poorly written and poorly researched trade magazine articles about Y.

It's about 2-factor authentication...

[js_sebastian]

The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions.

It doesn't really matter since passwords are already the weakest link in online security.

It's not that type of password. You are already logged in to your banking site using username and password. Then you decide to send money to someone, and one of the ways of doing 2-factor authentication available to you is to have the bank send you a 1-time password by SMS, which you then type into the computer. The one-time password is bound to the specific transaction you were requesting, and the sms contains some information about the transaction (like the destination account number and amount), so if the account number or amount is not what you wanted you know something is wrong.

So unless the bad guys have malware on your phone AND on your pc, they can't steal your money.

Of course, this is in europe. In the US two-factor authentication means password+"what is your mother's maiden name". And no, this is not a random anti-american rant. Most US banks still do not have 2-factor authentication, while all that I know of in europe do, in some form or another. Also, a security guy from a US bank I spoke to at a conference told me they don't do two factor authentication because users don't want to remember more passwords (thus proving he does not understand what is 2-factor authentication). Also, he said that when you want to do something "suspicious" like sending money to a new destination, they start to ask you security questions (like "what is your mother's maiden name").

Re:None have come to fruition?

[AltairDusk]

All sarcasm aside if GP is referring to the incident I'm thinking of that was only because people never changed the root password after jailbreaking. More recently with the iOS PDF exploit tools to help users protect themselves were available to jailbroken users 3 days after it was widely known (release of Jailbreakme.com which used the exploit). "Jailed" devices had to wait for a fix from Apple which came 10 days after. This is still a good response time and should not be taken as a bash on Apple, it does illustrate that assuming jailbroken automatically means less secure is wrong.

Yes it will.

[goombah99]

But not for the reasons given. If you go to light in a box and browse all the android 2.1 pads for sale, all of them warn you not to attempt to re-install or change the OS. this warning is not given for some propriatary reason but simply because there is no assure path to a perfectly safe re-install of the android software and drivers.

Thus there are going to ba a gazillion android pads walking around that cannot be patched. It's a safe bet there are security holes to be discovered in this. Once that happens it's going to be like windows has been with the sea of mobile zombies.

The iphones are different. You are constantly offered updates. (which brings up the problem with jailbreaking-- you can't update easily for fear of busting the jailbreak.)

Now phones may be a different matter. If the phone companies are able to push updates it may be a lot safer.