Smartphone security: Is mobile malware threat looming this year?

Experts at odds over timing of crooks' switch of focus from PCs to smartphones…

Experts at odds over timing of crooks' switch of focus from PCs to smartphones…

Cybercriminals are turning away from PCs to seek softer targets among smartphone users, according to a Cisco security report - with Apple's iOS and Google's Android platform flagged as "key targets."

But this view has been challenged by experts from the security industry, who say mobile malware remains niche for cybercriminals. When it comes to risk, Microsoft's Windows is still the meat that draws the zombies.

The Cisco 2010 Annual Security Report says the level of PC security is now so high - with built-in security features, "faster than ever" updates, patches and alerts warning users of potential flaws - that it is "becoming increasingly time-consuming and resource-intensive [for cybercriminals] to find ways to exploit platforms that once were so lucrative."

The report adds that smartphone vulnerabilities have reached "a significant 'tipping point'".

Mobile malware: Are smartphones at risk?

Mobile malware: Are cybercriminals turning their attention to smartphones?
(Photo credit: liewcf via under the following Creative Commons licence)

Far from being at a tipping point, mobile malware remains extremely rare, said Graham Cluley, senior technology consultant at Sophos, who described mobile threats as "a raindrop in a thunderstorm" when compared with the level of risk encountered by Windows PCs.

"We see over 90,000 new unique samples of malware every day and 99.999 per cent of that is for Windows. So if the PCs are secure, the bad guys are wasting an awful lot of their time," he told "People are still getting successfully infected on their Windows desktops and laptops - and for the foreseeable future that's where most attacks are going to happen."

Mikko Hypponen, chief research officer at F-Secure, said the security level of the PC is high, but only if you take a computer running Windows 7 or the latest version of Mac OS X. "However that's not what the world is running... The most common OS used by computers anywhere in the world right now is Windows XP."

More than half the world's PCs are still running Microsoft's 10-year-old operating system, according to Hypponen - which continues to keep cybercriminals occupied. "Yes, the attackers and the criminals go after the softest target. However, the softest target is not the mobile phone - it is these old computers, which are not only the softest target but also the biggest target."

"We find more new Windows XP PC viruses every single day than what we have found altogether on the phone side," he added. "The security level of Windows XP isn't very good at all."

So what is the present risk to smartphones from malware? Sophos' Cluley and Hypponen think it is relatively insignificant. Only a few hundred mobile phone viruses have been identified since the first smartphone worm emerged in 2004, a number Hypponen described as "really nothing."

The first iPhone worm surfaced in 2009 and its maliciousness was limited to changing the iPhone user's wallpaper to a picture of 1980s crooner Rick Astley.

Cluley and Hypponen conceded there is growing interest in writing smartphone malware - albeit more from hobbyist virus-writers than the fully fledged cybercrime fraternity. "The risk right now, right this moment... is very low," said Hypponen. "However, the potential for it is very high and it is very likely that sooner or later we will see a global outbreak of a mobile phone worm."

Once Windows 7 becomes the world's most common operating system - likely in a year or two - that may give some...

...malware writers pause for thought, Hypponen said. "Some of those will continue targeting Windows computers - Windows 7 is far from being foolproof but it is harder to target than Windows XP. But some of those criminals will realise there actually are more phones on this planet than computers and they are breakable as well. It's not trivial but it is doable."

"It would be a brave man who would bet against [smartphone malware becoming more of a threat]," added Cluley. "There's no doubt smartphones are entering everybody's lives and they are basically computers in your pocket, and more and more people are going to be doing their online shopping and online banking on them. And they are typically, at the moment, unprotected on those devices because it's perceived that there's a very small threat."

One reason cybercriminals may be persuaded to migrate from PCs to smartphones is that the effort required to cash in on their exploits is potentially much smaller when it comes to mobiles. All they need is to fashion a piece of malware that dials a premium-rate number, according to Hypponen - a type of exploit that can't be replicated on PC hardware.

It's that more straightforward path for monetising malware - along with the growing number of smartphone users - that will make mobiles a more attractive target for cybercriminals in future, he said.

For now, though, malware risks to smartphone users remain very small - mainly restricted to jailbroken iPhones or app downloads from non-official marketplaces, said Sophos' Cluley. "If the apps aren't properly vetted... there is a risk," he said. However, a much bigger risk is users not encrypting their handset with a PIN - leaving corporate data at risk from prying eyes should a handset be lost or stolen.

So far, smartphone software holes have also had a tendency to hang around unpatched for longer than desktop flaws, giving cybercriminals a potential opportunity to exploit buggy software, Cluley added. "Apple has much more control over iPhone operating system updates than Google does with Android. The OS is sort of brewed for a particular device, so many users can be waiting ages for their service providers to roll out an Android operating system update," he said.

"For me, I think the threat is going to come on Android first... That, potentially, is more likely to be the early battleground than the iPhone because of these sorts of issues. But the iPhone is undoubtedly attractive because it is so immensely popular."

Cluley also believes phishing attacks could become a significant problem on smartphones, as it's not easy to view an entire URL on a handset, or hover over a link to see where it goes before clicking. "Many of the attacks we see happening on social networks may be particularly successful on mobile devices," he predicted.

The Love Bug: There are fewer viruses and more Trojans these days, according to Sophos

There are fewer large-scale viruses such as the Love Bug - today's malware is more about Trojans, according to Sophos
(Photo credit: faceymcface1 via under the following Creative Commons licence)

Worms that spread via MMS and SMS do already exist - typically incorporating a link to a web page that a user has to click on and which then prompts them to download a file that installs the malicious program on their device. The worm then sends the malicious text or picture message to every contact in the phone's address book, or even random phone numbers, in an effort to propagate itself.

Text message worms have largely replaced another mobile threat - Bluetooth worms, such as 2005's CommWarrior - according to F-Secure's Hypponen. "We've mostly got rid of Bluetooth viruses and worms because the Bluetooth protocol was changed [as a result] of this problem a couple of years ago and it's not trivial to write them anymore," he said.

Hypponen believes it is only a matter of time before a smartphone worm outbreak goes global. "This could have happened already many times over but it hasn't. Eventually it will - and that could happen tomorrow, it could happen next year. It's impossible to forecast but sooner or later it will happen," he said. "All the attacks we've seen so far are still pretty basic - it's still pretty early days in the world of mobile phone malware.

"The technology exists; nobody has had the motive or the interest to do it. The large-scale problems are only going to start happening when the criminals move in and that's going to happen only after the easiest targets go away - basically Windows XP."

Such an outbreak will change how people view smartphones, in his opinion - switching them on to the risks and making them handle handsets like they do PCs. "Eventually, we will all be running mobile phone antiviruses on our mobile phones, just like we run antiviruses on our computers today," he added.

Sophos' Cluley has a slightly different view - he believes the era of big-bang viruses such as the Love Bug has waned. More subtle malware is now seeking to have its wicked way with IT users. And smartphone owners shouldn't expect to be immune forever.

"We don't really see as many viruses and worms written as we used to - it's not really the way malware works so much these days. It's all about Trojans, which try not to hit a large number of people at once because that actually draws attention to them," he said.

"I think it is inevitable that we will continue to see malware on smartphones and there will be more of it and it will become more malicious in its nature. Whether we will ever see something like the Love Bug from 10 years ago and Anna Kournikova and things like that, we'll have to see."