Windows XP, released in 2001, is still widely used, but Microsoft will stop issuing security updates for it after April 2014. At that point, Microsoft will continue to issue security updates for Windows 7 and Windows 8, and after each one is issued the malware writers will reverse-engineer it to identify the vulnerability that it addresses, Rains predicts.
"They will then test XP to see if the vulnerability exists there, and if it does they will write exploit code to take advantage of it," Rains says. "Since XP will never get another update, the malware writers will be in a zero-day-forever scenario. If they can run remote code of their choice on those systems it will be really hard for anti-virus protection to be effective. The situation will get worse and worse and eventually you will not be able trust the operating system for XP."
"People should not be running XP," agrees Schouwenberg. "When it was written the malware problem was very different than it is today. It had no mitigation strategies and is extremely vulnerable."
Experts see many parallels between Android's development and the early history of the Windows market, with hardware vendors adapting a third-party operating system for their products, leaving no single party ensuring security. And with the Android market, the additional involvement of telecommunications carriers is a complicating factor.
"It is not like the case with Apple, which can push security updates to every iPhone in the world in one day," says Schouwenberg. "With Android, the manufacturer has to implement the patches and then go through certification with the carrier before the patches are deployed. Assuming your phone still gets security updates it may be months before you get them. That would not be considered acceptable with a laptop."
"Android is in a position that Windows was in a few years ago; there is not enough protection," adds Johannes Ullrich, head of research at the SANS Technology Institute, which certifies computer security professionals.
Is there hope?
Returning to the ecology metaphor, sometimes the impact of an asteroid will drive species into extinction. And, indeed, sources can point to extinction types of events in the short history of the malware biosphere.
Thompson, for instance, points out that the adoption of Windows 95 drove MS-DOS malware into extinction by adding protected mode, so one program could not overwrite another at will. Microsoft Office 2000 drove into extinction (PDF) malware based on Office 1995 macros by adding a feature that basically required user permission before a macro could run. Windows XP Service Pack 2 in 2004 set the Windows firewall on by default, wiping out another generation of malware.
"But there is no extinction-level-event in sight to wipe out the current Trojans," Thompson says.
Even if there were such a miracle, attackers could fall back on persuasive email, officious phone calls, smiling faces or other non-technical manipulations usually referred to as "social engineering."
"The success rate for social engineering is phenomenal," says John Strand, network penetration tester with Black Hills Information Security in Sturgis, SD.