Defusing mobile malware's time bomb
commentary It seems like every man and his dog has a smartphone, a tablet or both, but surely that means it's just a matter of time before malware for these devices becomes a huge problem. The question is: is enough being done on the mobile side to provide adequate protection?
(French test image by James Vaughan, CC BY-SA 2.0)
Sophos' Security Threat Report 2012 worries that mobile malware threats are growing. McAfee last year stated in a threat report (PDF) that during a one-year period beginning in the second quarter of 2010, the total amount of malware targeted at Android devices jumped 76 per cent. BitDefender's E-Threats Landscape Report (PDF) also stated that threats targeting Android devices would "exponentially grow". It's clear that everyone thinks there is a storm brewing, but is anyone taking notice?
Security vendors certainly see a market, and it's in their interests to push this agenda, but it doesn't necessarily mean they aren't right. However, tools and technology are only one part of the equation when it comes to good security.
Good security is built on a foundation of two things. The tools and technology (your antivirus, anti-malware, tokens, passwords, etc), and education — knowing how to use the technology, why it's important, what sort of passwords to pick, how to identify scams.
We have the technology. While it's questionable as to whether it's little more than a promotion for a (in some cases an already free) product, all of Australia's mobile carriers have partnered with a security vendor to provide users with mobile security products. But what about education?
There is little information about the existence of mobile threats, what users might look out for, or even that they need to be concerned. Customers aren't aware that their mobile devices can fall victim to malware, or worse, fall into the false mindset that no one makes viruses for phones. We've seen that head-in-the-sand approach with Apple Macs before, debunked with the existence of MacDefender and the ease at which hackers can create OS X versions of trojans.
However, none of this really matters because mobile carriers shouldn't be responsible for educating customers, should they? Shouldn't that be a job for SCAMwatch or Stay Smart Online? The fact of the matter is that Telstra and Optus are responsible.
They made it their responsibility when they agreed with the intent of the Internet Industry Association's iCode (PDF). Vodafone is not listed as a participant, but that doesn't mean it can't take on some responsibility for what is an industry-wide problem.
The iCode "recognises that both internet service providers (ISPs) and consumers can and must share responsibility for minimising risks inherent in using the internet". That may initially read as though it might only apply to desktop computers, but the code clarifies that it also applies to mobile carriers.
"The code has been written in such a way as to provide guidance to either ISPs or mobile network providers who may wish to use the code to address the risks associated with these services being attacked in the future."
It explicitly recommends that "each new customer be provided with information, or links to information, which provides them with simple steps they can take to better protect themselves online".
The educational steps that the iCode recommends aren't revolutionary, and some might question if they are even effective, but the fact that they are simple to implement — in the form of posting information on a website or providing information at the time of sale — shows how unprepared the industry is or how little consideration mobile security has attracted.
The iCode itself, which is due for review mid-2012, while acknowledging that mobile devices will be a future issue, is still written with fixed PCs in mind, continually referring to networked devices as computers. Its recommendation to contact customers directly may also need to take into account that if a customer only provides a mobile device as their means of contact, they can potentially be left unaware to warnings due to the ability of malware selectively blocking calls, SMSes or emails. While the iCode is still somewhat relevant, the need to review these areas highlights how fast technology can move and the importance to get ahead as far as possible.
And now is our chance. Telstra and Optus have both reported that there are few mobile threats that are occurring, but have admitted that there are instances of it. Security researchers have begun to see these threats in the wild and are predicting a massive explosion in their proliferation. This represents a one-time opportunity to strike while the iron is hot and defuse a problem before it grows into something unmanageable.
If it's only a matter of time before this becomes a huge problem, then we're sitting on a ticking time bomb. And why should we wait until it explodes?