If You Use It, Mobile Malware Will Come

IT people who try to secure mobile devices in a big company face three big conceptual problems.

First, many, if not most, of the smartphones and tablets are from Apple. Both veteran and rookie users tend to believe Apple devices aren’t vulnerable to malware and hacks, so users don’t need to take any precautions.

Second, even non-Mac users tend to think security is already built in to their smartphones or tablets, so they also resist efforts to install anti-virus, firewall or other additional security on what are often their own systems.

Third, the fastest-growing malware segment targets Adobe applications rather than the traditional browser or operating system, doing an end-around the expectations of both users and many IT security people, according to analysts at the security firms McAfee and Commtouch.

The sense of security that Apple users have comes from the Mac. Mac users have been trained to feel safe because Apple averages 6 percent to 8 percent client OS market share, which has encouraged malware writers and bot-net builders to aim at Windows machines instead, according to Alex Stamos, a security analyst at iSec Partners.

Android Takes the Malware Lead

The August edition of security firm McAfee Labs’s quarterly threat report (PDF) found that the number of malware threats rose faster during the first six months of this year than ever — 22 percent faster than last year, which held the previous record.

Among mobile devices, malware aimed at Google’s Android OS increased in number 76 percent compared to the year before, taking the lead from Symbian, previously the most-threatened smartphone operating system. Still, though it leads smartphone OSes in the number of malware threats, McAfee found only 44 specifically aimed at Android. But given there are 425,000 iOS apps on the market compared to about 200,000 for Android, the difference in availability of malware is remarkable.

And it is causing some damage. During the first half of 2011 about half a million Android users were infected with some form of malware; the number of infected Android apps skyrocketed from 80 in January to more than 400 by June, the Lookout report found.

By the end of 2012, 5 percent of all Android and iOS phones or tablets will have been infected at least once by viruses or trojans most likely versions designed to steal information about users’ bank accounts, not just prove it’s possible to infect an iPhone, according to a report from security vendor Trusteer and its CEO Mickey Boodaei.

The fantastically successful Zeus malware kit, which is designed to steal banking information, has been found running effectively on every major phone OS except iOS, according to Sophos virus research Vanja Svajcer.

iOS Faces Far Fewer Threats

So far, however, McAfee has found not one single credible threat from trojans, viruses or rootkits designed for iPhones, iPads or anything else running Apple’s iOS.

Rival security firm Commtouch did find one iPhone virus hosted on a malicious Web site to which users were directed by spam emails that claimed to offer photos of the”iPhone 5G S.” Instead it downloaded a trojan called iphones5.gif.exe.

Part of the reason iOS malware is so rare is that it’s easier to develop for the open-source-modeled Android than the closed and proscribed requirements of iOS, the report found.

Unlike desktop and laptop machines, which are usually infected by malicious attachments in email or visits to poisoned web sites, the most common infection point for smartphones is an app poisoned by hackers and downloaded by users who assume it is clean, according to a July report from Lookout Mobile Security.

That explains why Android devices are more vulnerable than iOS. It’s easier to distribute malicious software through the comparatively uncontrolled Android apps market place as compared to Apple’s iTunes App Store because Apple spends more time vetting the apps, Stamos said. So far the most common infection method is poisoned versions of legitimate apps that appear in an Android App Store.

None of the commonly available malware or hacking toolkits include canned exploits or virus frameworks designed for the Mac, so “script kids” without extensive programming skills of their own have a much harder time attacking iPhone than Windows, he said.

Aside from Apple’s efforts to filter malware out of iOS distribution points, the operating system also has a more effective sandbox in which to run third-party applications even than Mac OS X Lion server. All third party apps get access to the same data, but are controlled more closely and have to ask the OS for information such as location data rather than retrieving it themselves, according to the Lookout report.

The almost non-existence of malware for iOS doesn’t mean there are no threats, especially those hidden on malicious web sites that could attack using Java, HTML5 or other code that iPhones support, but which are not exclusive to iOS.

The major risk to iOS devices is jailbreaking them, which enables them to run apps other than those from Apple’s iTunes App Store, thus opening the device to more threats. So far, however, even jailbroken iPhones have not been found to be infected, Stamos said, but that won’t last long.

Closing the Open Book

All handhelds are vulnerable to total data loss if they’re left behind in airports or coffee shops, according to IDC research analyst Ian Song. That’s because few handheld users encrypt all their data or require a password to access them every time the screen goes dark, so any lost smartphone is, essentially, an open book.

The best option for that problem is to use only smartphones whose storage can be wiped clean or reformatted remotely, whether by administrators or by the user. Apple, for example, provides wipe and lock services for customers who lose their iPhones.

“Otherwise there’s nothing you can do but call it and maybe someone will mail it back to you,” Song said.

Don’t Rest Easy

Still, hackers have a wide range of doors through which they can slip with smartphones, analysts said — via Bluetooth, Wi-Fi and 3G connections if they can crack the encryption; even SMS messaging.

Aside from embedding malware that can corrupt the phone while it’s running, it’s possible to intercept or spoof data signals, especially SMS traffic, which can be used to infect and control an Android phone.

The upshot, for both Android and iOS users?

“A phone is a computer, and it needs the same kind of security as a computer — firewalls, antivirus, backup,” Song said. “If you don’t treat it as a potential risk, eventually it’s going to bite you.”