Government // Mobile & Wireless
News
3/6/2012
12:07 PM
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

Mobile Malware Exists To Steal Your Data

It's not entirely clear how big the mobile malware problem is, but it is clear that data breaches are the main threat it poses.

Is mobile malware for real? This was the first question at my favorite panel discussion at last week's RSA Conference 2012 in San Francisco. It's a question that has to be asked because "mobile malware" has been a security bogeyman for years.

It's more real than it's ever been, mostly because of an inviting architecture in Google's Android and, as a result, mobile malware is overwhelmingly an Android phenomenon these days, aside from some legacy malware for dying platforms such as Symbian.

But the really interesting point on which all panelists agreed was that the threat model for Android malware is different from that of conventional PC malware and therefore catches some users by surprise.

Because the Windows PCs it attacks are so powerful and plentiful, Windows malware can do a lot. It sets up botnets. It is remotely updateable. It spreads itself. Users usually don't notice for a while, if ever.

[ Respected antivirus lab AV-Test compared 41 Android anti-malware products for detection capabilities. Here's what they found. ]

Android malware is different. It's on a relatively weak device with a (probably) relatively slow connection and the software is sandboxed to limit its capabilities. But there is one thing on the phone worth going after: Your data. The threat model for mobile malware is the monetization of your personal data.

You'll find this behavior in surprising places. Consider the Pandora scandal of last year where it turned out that the company had used third-party libraries in its app that transmitted "mass quantities" of personal data to advertising agencies in violation of the privacy policy.

Android's permissions-based model is ill-suited to this problem. Even putting aside the fact that few users read them or understand their implications, the permissions necessary for an app to violate your privacy are generally reasonable ones: transmit data on the Internet, perhaps access your contacts or even your e-mail. It's not hard to imagine apps to which you would grant such permissions.

There's no way users can properly investigate the hundreds of thousands of Android apps available (or the iOS ones for that matter, as they might also be violating privacy, knowingly or unknowingly). My preferred solution is to outsource that process to a whitelisting service. Too bad these don't exist yet. In the meantime, mobile users are left with no real defense beyond common sense.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.