SANS study: One in five mobile devices running malware

A SANS survey has sobering numbers on mobile malware infections, suggesting they may be more common than we think

Ask a painful question, get a painful answer: That was the lesson the SANS Institute's Internet Storm Center (ISC) learned recently when it surveyed its membership on the subject of malicious programs that target mobile devices like iPhones and BlackBerrys.

In a running poll that has, so far, netted 540 respondents, SANS researchers found that 85 percent were not scanning their mobile devices for malicious programs. Of the 15 percent who were, 18 percent found mobile malware running on their devices. That's higher than the overall infection rate for PCs in North America, which Microsoft (in this case, the best arbiter of such questions) pegs at between 7 and 10 percent of all Windows systems in the United States and Canada. In fact, 18 percent is close to the infection rate for XP SP1 systems. "As secure as XP SP1" isn't the kind of security you want.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

Extrapolate that number and it suggests that, as SANS points out, as many as 83 of the 457 participants who weren't scanning their mobile devices could be missing an active malware infection. Look at the number of smartphones in use globally and the infection numbers get even scarier, but also more hypothetical -- after all, the mobile universe isn't a monoculture like the PC world. There are endless variations of Symbian, Windows Mobile, Palm, as well as BlackBerry, iPhone, Android and the like. Not all are equally valuable or attractive to attackers. It's also not clear what kinds of malware turned up on the self-reported scans and whether false positives might be in the mix.

The conventional wisdom is that mobile malware isn't a big concern so much as a gushing font of vendor FUD and scare tactics. The enterprises I talk to are far more concerned about the data on mobile devices that might get lost or stolen than they are about mobile devices as a malware bridge to their enterprise networks.

Anecdotally, anti-malware vendors tell me that mobile malware is still a tiny sliver of a fat malware pie -- but it's also a growth area with new instances of mobile malware coming online at an alarming rate. We've also written about some of the big security loopholes that scammers and malware authors are getting hip to -- notably the loosely policed application marketplaces for platforms like iPhone and, especially, Android.

Despite all that, if we're to believe that 85 percent of mobile phone users don't scan for malware, then there's clearly some waking up that will need to take place. The SANS report may be one alarm bell. Also look to this year's Black Hat and Defcon events to raise the heat under the mobile malware pot.

This article, "SANS study: One in five mobile devices running malware," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.