Will 2011 be the year of mobile malware?

While the expert predictions may have yet to fully come true, vendors are preparing for the worst

Perhaps one of the most common predictions of the last six years has been that mobile malicious software will suddenly proliferate, driven by widespread adoption of smartphones with advanced OSes.

None of those prognostications have really come to fruition, but it's likely that the coming year will bring a host of new malicious applications. Users -- while generally aware of threats aimed at their desktop computers and laptops -- have a good chance of being caught flat-footed with their mobile phones.

[ iPhone, BlackBerry, or Android? Whatever handheld you use or manage, turn to InfoWorld for the latest developments. Subscribe to InfoWorld's Mobilize newsletter today. ]

In the third quarter of this year, up to 80 million smartphones were sold around the world, which accounted for about 20 percent of the total number of mobile phones sold, according to statistics published last month by analyst firm Gartner. Smartphones are Internet-capable and therefore more vulnerable to attack than other mobile devices.

The threats against those devices are going to come in several categories:

Rogue applications

Marketplaces for mobile applications are becoming increasingly popular for platforms ranging from Apple's iOS and Google's Android to Microsoft's Windows Phone 7 and Symbian. Apple maintains tight control over its App Store, which has helped reduced rogue applications from being offered. But bad applications for other platforms have popped up.

In September, researchers from security vendor Fortinet discovered a mobile component for Zeus, a notorious piece of banking malware that steals account credentials. The mobile component, which targeted Symbian Series 60 devices or BlackBerrys, intercepted one-time passcodes used to verify transactions.

The mobile app carried a legitimate signing certificate, which allowed it to be downloaded and installed on devices. The development was particularly disconcerting as many banks are looking at using mobile phones to send one-time passcodes by SMS (Short Message Service) rather than issuing separate devices that can generate the code.

There's little defense from sneaky rogue applications, but users should be generally careful about downloading programs, particularly for platforms where those applications may not be vetted so closely.

Traditional malware

While desktop OSes like Windows are plagued by malware, there have been far fewer malicious programs aimed at mobile devices as of yet. But researchers have seen applications like rogue dialers, which will send SMSes to premium-rate numbers owned by the fraudsters. Other threats include worms spread by communication protocols like Bluetooth.

With the increase in use of tablet computers that use mobile operating system, those devices will also be subject to those same threats. "We do believe that is going to arrive in the next 12 months," said Bradley Anstis, vice president of technical strategy for security vendor M86. Malicious hackers are "lazy people, they will always go after the low-hanging fruit."

Privacy and data collection issues
Mobile applications can also have other privacy-related risks, such as collecting, transmitting, or storing data. Advertising networks and mobile application developers are often highly interested in metrics around how and where people are using their applications. Data may include information identifying a specific device, with users unaware they are being tracked. Apple, however, allows application developers to collect location information, but only as long as users are notified.

Social engineering
Just like on desktops and laptops, fraud doesn't have to involve a technical trick. Phishing -- the practice of using a fake website to trick users into revealing sensitive information -- is as much or more of a threat on mobile devices. People often trust their mobile device more than their computer and are therefore more vulnerable to phishing.

If a person is on a corporate network, phishing sites are usually blocked, Anstis said. But if someone is using a work mobile device over 3G, that connection is not going through a corporate gateway but the operator's network, which may not block those harmful sites. M86 has been developing a browser-based system that would send URLs to its data center for analysis and block malicious ones, Anstis said.

Other companies are also seeing opportunities for new services around mobile devices. Juniper Networks, for example, acquired SMobile Systems in July for $70 million. SMobile has a laboratory in Columbus, Ohio, that focuses on studying mobile malware, said Amir Khan, business development manager for the U.K. and Ireland.

"The reason we set that up is because we realize the threats in the mobile space are very specific," Khan said. "It's not just that desktop threats have migrated to the mobile world."


Copyright © 2010 IDG Communications, Inc.

How to choose a low-code development platform