Ask a painful question, get a painful answer: That was the lesson the SANS Institute's Internet Storm Center (ISC) learned recently when it surveyed its membership on the subject of malicious programs that target mobile devices like iPhones and BlackBerrys.
In a running poll that has, so far, netted 540 respondents, SANS researchers found that 85 percent were not scanning their mobile devices for malicious programs. Of the 15 percent who were, 18 percent found mobile malware running on their devices. That's higher than the overall infection rate for PCs in North America, which Microsoft (in this case, the best arbiter of such questions) pegs at between 7 and 10 percent of all Windows systems in the United States and Canada. In fact, 18 percent is close to the infection rate for XP SP1 systems. "As secure as XP SP1" isn't the kind of security you want.
Extrapolate that number and it suggests that, as SANS points out, as many as 83 of the 457 participants who weren't scanning their mobile devices could be missing an active malware infection. Look at the number of smartphones in use globally and the infection numbers get even scarier, but also more hypothetical -- after all, the mobile universe isn't a monoculture like the PC world. There are endless variations of Symbian, Windows Mobile, Palm, as well as BlackBerry, iPhone, Android and the like. Not all are equally valuable or attractive to attackers. It's also not clear what kinds of malware turned up on the self-reported scans and whether false positives might be in the mix.