Have we been mis-sold a mobile malware ‘epidemic’?

iphoneJust finished an interesting story from security firm Damballa on mobile malware.

Breaking ranks with most of the rest of the industry, the vendor suggests in its new report that the amount of mobile malware on US networks is actually pretty minimal, and that if most users stick to the official app stores they should steer pretty clear of danger.

Indeed, it found in its analysis of half of the mobile traffic in America, only 0.0064% – or 9,688 devices out of 151 million – contacted a domain on the mobile black list.

This was even down on the 0.015% that did so in 2012.

Now the caveat is that this is just in the US, and only focusing on malicious network traffic rather than installs, but it’s still a pretty interesting piece of research.

It tends to fly in the face of the picture painted by many anti-malware companies, some of which perhaps are talking slightly disingenuously about malware epidemic on Android.

There undoubtedly is an awful lot of malware designed for Android. But how much of it actually makes its way on users’ devices? Especially if those users only stick to the first party app stores.

I’ve a feeling that if you took China and Russia out of the equation, for example, the Android malware problem wouldn’t be even remotely as acute.

“I do not know when if ever mobile malware (as we see it on the PC) will become a problem on mobile devices. I really think the app stores can control distribution of ‘money-making’ malware,” Damballa CTO Brian Foster told me by email.

“The risks and threats of around insecure cloud apps or insecure access to cloud apps are already here. The risk of losing your device and giving a 3rd party inappropriate access to your data is already here.”

It is those latter risks that IT managers would do well to get a handle on, says Foster.

Another part of the research worth mentioning is that only 1.3% of mobile hosts weren’t also in the set of hosts contained by historical non-cellular traffic.

This means that mobile apps are using the same hosting infrastructure as desktop applications and, as such, IT security teams can apply the same network-based security to spot domains with bad reputation scores etc.

F-Secure security advisor, Sean Sullivan, agreed that most Western netizens would be safe sticking to the authorised channels.

He admitted to me too via email that the mobile malware epidemic had been “overstated by *some* in the AV industry”.

However, he felt justified in sharing threat intelligence on new mobile malware, given that F-Secure’s customer-base stretches far and wide globally.

“We don’t just sell mobile AV – we sell mobile security with multiple security features and sell/bundle it with our other services in our cross-platform ‘SAFE’ offering,” he explained. “When you buy our PC software, you also get Android software – it’s all part of the package.”

That’s completely understandable and I think even if Vendor A doesn’t sell into markets where mobile threats are higher risk (like Asia, for example) they still have a responsibility to reveal major new discoveries.

However, unfortunately it doesn’t take much for responsible disclosure of threat intelligence to turn into FUD-y marketing hyperbole.

Advertisements

China’s mobile cyber crime underground…and me on the Beeb

chinese flagI was on BBC Newsday, a World Service breakfast programme, on Wednesday talking about the Chinese cyber mobile underground story I wrote up for The Reg this week.

It’s based on a Trend Micro report The Mobile Cybercriminal Underground Market in China – published this week by its Forward Looking Threat Research Team, which reveals once again the sophistication and commercialisation of the underground networks via which cyber criminals trade goods and service.

Although the report itself doesn’t throw up a huge amount of new data it’s interesting to see evidence that such networks exist in China, selling common attack kits like premium service abusers, SMS Forwarder Trojans and spam.

Typically, being broadcast journalism we were kept strictly to 5 minutes of short, sharp soundbursts by the BBC which allowed for little meaningful discussion of the topic besides “what’s the Dark Web”? “How do I get on it?” and Who’s behind these attacks?”. I had a better chat with the researcher the night before.

That said, it’s an important topic to air publically.

Although we didn’t cover this in as much detail as I’d have liked, the real message to listeners of the program – which apparently has among the highest audience numbers on the planet – is to be more vigilant when downloading apps online and make sure they install basic AV on smartphones.

In China, where unregulated third party Android stores are the norm and mobile AV is rare, the cyber criminals have it made.

The only light I can see on the horizon in this part of the world is for the government to follow through with its planned regulation  of the mobile app space. This would force industry to self-regulate and clamp down on malicious apps either pre-loaded onto phones or uploaded to web stores.

The only problem is that any new regulations are also likely to restrict content deemed “offensive” to Beijing – in other words censorship by the back door.