At this year’s RSA conference, Charles Lever, a researcher from Damballa delivered a talk in which he claimed that mobile malware in the U.S. has been overstated and overhyped. According to him, you have a greater chance of being hit by lightning than getting mobile malware. Lever explained that of the more than 150 million smartphones in the U.S. it tracked, only 9,688 had been exposed to malware.
The low rate of infections, he says, is due to the use and prevalence of the two biggest app stores, Google Play Store and Apple’s App Store, which send apps through a certain level of security checks before listing an app for downloading. However, if you venture outside these legitimate app stores, you’re inviting trouble.
Representatives from security services like Avast and Lookout disagree with Lever, claiming that the mobile world isn’t as safe as he makes it out to be. So, who is right and who is wrong, and how concerned should you be, as a user? We spoke with all parties to find out.
Still early days for mobile malware
The extent of mobile malware is still not widely understood. “This research shows that mobile malware in the U.S. is very much like Ebola,” Lever told the conference. “Harmful, but greatly over-exaggerated, and contained to a limited percentage of the population that are engaging in behavior that puts them at risk for infection.”
“As long as there are users and mobile users are growing every year, there always will be malware.”
An early April report from Verizon made some similar remarks, stating that while mobile malware is dangerous, it will not be the cause of a massive cybersecurity incident, like the one Sony suffered. “Data breaches involving mobile devices should not be in any top-whatever list,” the authors said.
There are other factors that affect the security of mobile devices beyond malware.
“Malware is only one part of the mobile security story. Many of these recent reports are only taking into consideration commodity malware, and not targeted attacks, which are arguably the most concerning threats,” says Aaron Cockerill, VP of Products at Lookout.
However, there are many who stress that mobile malware is a real concern that users should be aware of. Michal Salat, threat intelligence analyst at Avast, says that it’s important not to downplay mobile malware. “As long as there are users and mobile users are growing every year, there always will be malware,” he says. “It’s the same with PC, as PC grew and the amount applications grew, the amount of malware grew.”
Salat says he agrees that users should stick with using official app stores, because they are “fairly secure,” but there can still be malware found in these stores. The only way to ensure the store is 100-percent free of malware is to employ individuals who check each app that comes through, which is impractical, he says.
The numbers examined by Lever, says Salat, give a kind of narrow view. “It’s kind of a small point of view they are speaking about in the presentation, because they were only talking about the malware that communicates with the author in any way,” says Salat. “There is a significant amount of malware that never connects back to the author. The best example would be pay-per-click malware.”
Threats still appear in the app stores
In their own work, Salat and the team at Avast have come across a few notable examples of mobile malware rearing its ugly head in the Play Store. They discovered the card game app, Durak, a piece of adware that would eventually show a fake warning message, that if followed through on, would allow the adware to scoop up data from your smartphone. “By [Google’s] own metrics, it affected about five to 10 million users,” says Salat.
“We detected it over several different detections at a time. It was on the app store for quite a lot of time and infected a lot of people,” he says. This one example from Salat counters many of the figures presented by Lever in his presentation downplaying the dangers of mobile malware.
“I don’t want to question [Damballa’s] numbers, don’t get me wrong, they’re probably true, but they’re taken from a really small part of the market,” he adds.
“What I really don’t like about the report is the final statement that it’s way more probable that you will get hit by lightning than encounter malware,” Salat says, explaining that the weather figures represent your chances of being struck by lightning across your lifetime. “The percentage that says how possible you are to get infect [by malware] was taken over a year,” Salat explains, “so there is a huge difference.”
North America is not the danger zone
While U.S. users aren’t having as many problems, regions outside North America are becoming hotbeds of mobile malware, as threats have become more global, particularly in Eastern Europe and Asia.
“[Cyber criminals] are basically repurposing really common PC variants of financial services Trojans, like SpyEye and Zeus, and are repurposing and refactoring those to run on mobile devices,” says Gary Davis, chief consumer security evangelist at Intel Security.
According to Davis, there are many reasons why other regions have been more susceptible to attack, namely users in those areas tend to own phones running older operating systems. “I think that’s where a lot of attacks are originating,” Davis says.
China is another example of a fertile ground for malware. The Google Play Store isn’t supported in China, even though there are a high number of Android users in the country. Because the app stores aren’t as universal, the country has a higher number of malware infections compared to the United States.
Davis says that this year alone there will be some notable instances in how malware spreads on mobile. Intel Security predicts that ransomware, or malware that threatens users and asks them to pay money to fix their system, will be targeted more and more toward smartphones rather than PCs. “If you look at how malware writers are creating their wares, it seems to be that’s where they’re going next, and that makes us a little bit nervous,” he says. “Mobile writers in malware are going to start kitting their software, and this is something that goes on quite a bit on the PC side.”
He points out research from a colleague that claims roughly 80 percent of the malware they find is a derivative of something else.
“They’ll take something they can either buy or get through the dark Web and repurpose it and do what they’re going to do,” he says. “We expect that mobile malware writers are going to start kitting up their malware starting this year and make it available on the dark Web, either for free or for sale.”
How to stay safe
There are several tips mobile users can follow to keep their devices free of malware, and many of them are the same as protecting your desktop. Security experts recommend that you keep your operating system updated and install a good anti-virus software, but also, adding PIN protection to your phone in case it’s stolen is always a good idea, as is being extra cautious of public Wi-Fi connections.