Thoughts on Malware for Mobile Devices - Part 2

Published: 2010-07-12. Last Updated: 2010-07-12 18:44:43 UTC
by Chris Carboni (Version: 1)
11 comment(s)

In last month's diary I asked two main questions.

How would I really know if there was malware on my smart phone?

How do we really know that mobile malware is not widespread right now?

So a poll was created asking for your experiences.

One reader commented asking what the definition of "malware" was.  Given that most of the readers of this diary are sufficiently knowledgeable about security to dismiss tracking cookies and other such things, I have to believe that only true malware is being reported.

I hope you reported the cookies.

The results and some preliminary analysis follows:

DISCLAIMER:  This is not a scientific poll, I am not a statistician and this should in no way be construed as an effort to spread FUD.

Of 540 respondents to date (the six respondents listing other have been removed as their methods and results were not described)

83 of 540 (15.3%) of respondents were scanning for malware.

15 of 83 (18.1%) who were looking for malware on their mobile device found it.

457 of 540 (84.6%) were not scanning their devices.

Now, 540 responses is not a particularly large sample, but I have been monitoring the statistics as responses are entered and the percentage of people reporting they found malware consistently ranged from 15-20% so 18.1% seems to be a reasonable number.  Likewise the percentage of people who were not scanning ranged consistently from 82-86%

Based on those numbers, 83 of the 457 people who responded who were not looking for malware would be infected.  Ouch.

How many mobile devices are out there right now?

How many in your office building?  How many in your city, your state, your country?

How many in the world?

Let's say these numbers are double what would be seen in the population at large.

Even so, if 9% of all the smart phones were infected with malware (especially if we didn't know it), that would be cause (IMHO) for alarm.

I couldn't find any good numbers on existing smart phones but according to this ZD Net Article Credit Suisse projected that total smartphone sales for 2009 will end up at around 176 million units. In the years ahead, Credit Suisse expects the smartphone market to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in  2009 will be about 1.2 billion and worldwide unit sales of all PCs in 2009 will be about 300 million.

Let's say the Credit Suisse was way, way off and we'll say there are only 100 Million smart phones in the world today.

And we'll say that even the 9% above was way off and it's half that, which would be only 25% of what the poll you responded to said.

4.5 Million infected devices.

1.5 Billion Units?  I don't even want to think about it.

Do the math.  Plug in your own numbers. Check your smart phones.

So my delayed, and corrected answer to the gentlemen at SANSFire who asked "Will this year be the year that malware on mobile devices becomes a problem?" is:

 

I think it is.  We just don't know it.

 

UPDATE:

Mikel wrote in:

Will you be following up with a site you can point your mobile app to that can scan it online?

I know my handy phone has started using it's entire battery life in under 12 hours - ever since I downloaded a ring tone.  So I'm really worried.

By the way, how do you look and see what's running on a mobile app?  I don't see any cmdline prompt.

Any recommendations for mobile AV?

 

Thanks Mikel


I don't know of any site that you can point your mobile device to and have it be scanned online. and I would think that data charges for that would be prohibitive unless you had a truly "unlimited" data plan.

As for recommendations, it's no secret I'm not a fan of signature based AV.  However, this is a case where something is better than nothing.

A defense in depth approach would be to use a different vendor on your smart phone than you use for your PC AV and then if possible, scan your device either on insertion to your PC or manually.

I'm not sure what OS is on your device, but if it's Windows Mobile, task manager is there.

 

 

 

Christopher Carboni - Handler On Duty

http://twitter.com/ccarboni

Keywords:
11 comment(s)

Comments

I think there is a huge potential for a massive DDoS from mobile malware. I think it's just an untapped resource. Imagine someone controlling even one carrier's entire mobile device inventory. Yikes.
Having said that, I think we know what the first targeted device would likely be for something like that. Luckily it's apps are controlled by a community store.
This won't be so lucky, google just released a app builder for Android. There anouncement stated this "a WYSIWYG Android app builder will push Android's numbers past Apple's App Store, and put app development in consumers' hands"
We have some years untill mayor mobile malware gets spread. I'd say two or three.
I have an Android phone and I use Antivirus free from droidSecurity Inc.

http://www.droidsecurity.com/

It seems to do a nice job and I haven't run into any malware yet that it has detected. But it did flag a couple programs as suspicious and alerted me of some misconfigurations. However, I was the one who installed the software and made the "misconfigurations" as I have a rooted phone using the wifi tether and allowed unknown sources for software install. But that was ok.

Quote from site:

"antivirus Inspects and cleans Android smartphone from malware,viruses, SMS spam and suspect applications to secure device integrity.

antivirus alerts users to suspicious new applications or possible mis-configurations ensure phone operability."
Infoworld must not have noticed your disclaimer. ;-)

http://www.infoworld.com/t/malware/sans-study-one-in-five-mobile-devices-running-malware-997
I have a Blackberry and Android and am using "Lookout" - free A/V F/W IPS solution for mobile devices

https://www.mylookout.com/

Very configurable and has detected several malware samples and BT attacks we've run against it.

Thank you for identifying, and confirming (?) the problem that I / we suspected was there.
While malware for portable devices is a risk, so is connecting to 'unknown' websites to download "anti-malware" solutions to look for bad code.

I have no point of reference of sources for anti-malware tools for PDA's. If my wife / mother asked me where to go to scan a PDA for malware, I wouldn't know where to go. I teach security / audit / compliance at the college level, but what should I tell the students? I can agree that this is a risk, but I don't have current information that would provide a solution.

I can't go an identify a problem to a customer / client if I don't have some kind of solution in mind.
Has anyone done any research on viable resources for anti-malware resources where the integrity can be vouched for by known trusted 3rd parties? I would be looking for commercial as well as open source resources.
That is as important to offer as is identifying the original problem.
I know that ESET has a free trial. http://www.eset.com/home/mobile-antivirus
Works on Windows Mobile, Symbian, etc.

(By the way, I have no connection with ESET other than that I use their products and pay for them.) I have protected computers with ESET for about 5 years now, and ESET removed viruses after they had chewed up and Spit Out Norton. ESET has also worked VERY WELL on specialized computers that I have built for people who have disabilities and run specialized software and have specific hardware config's. I have been VERY PLEASED with ESET's products because they are light on RAM, work in the background/quietly, and thus far have helped me clean up many a computer with multiple major infections (because these computers either had no AV or inferior AV at the time of infection). ESET won't mess with hardware config's, and it's worked VERY well for everyone who has used it per my recommendation.

I arrived at this post because I am trying to decide if I want to put AV on the smartphone I hope to get soon (Nokia E71).

Cheers! and Happy Holidays!
Well a six-year-old post and it still possesses relevance

Diary Archives