Mobile Malware Exists To Steal Your Data - InformationWeek
Government // Mobile & Wireless
12:07 PM
Connect Directly

Mobile Malware Exists To Steal Your Data

It's not entirely clear how big the mobile malware problem is, but it is clear that data breaches are the main threat it poses.

Is mobile malware for real? This was the first question at my favorite panel discussion at last week's RSA Conference 2012 in San Francisco. It's a question that has to be asked because "mobile malware" has been a security bogeyman for years.

It's more real than it's ever been, mostly because of an inviting architecture in Google's Android and, as a result, mobile malware is overwhelmingly an Android phenomenon these days, aside from some legacy malware for dying platforms such as Symbian.

But the really interesting point on which all panelists agreed was that the threat model for Android malware is different from that of conventional PC malware and therefore catches some users by surprise.

Because the Windows PCs it attacks are so powerful and plentiful, Windows malware can do a lot. It sets up botnets. It is remotely updateable. It spreads itself. Users usually don't notice for a while, if ever.

[ Respected antivirus lab AV-Test compared 41 Android anti-malware products for detection capabilities. Here's what they found. ]

Android malware is different. It's on a relatively weak device with a (probably) relatively slow connection and the software is sandboxed to limit its capabilities. But there is one thing on the phone worth going after: Your data. The threat model for mobile malware is the monetization of your personal data.

You'll find this behavior in surprising places. Consider the Pandora scandal of last year where it turned out that the company had used third-party libraries in its app that transmitted "mass quantities" of personal data to advertising agencies in violation of the privacy policy.

Android's permissions-based model is ill-suited to this problem. Even putting aside the fact that few users read them or understand their implications, the permissions necessary for an app to violate your privacy are generally reasonable ones: transmit data on the Internet, perhaps access your contacts or even your e-mail. It's not hard to imagine apps to which you would grant such permissions.

There's no way users can properly investigate the hundreds of thousands of Android apps available (or the iOS ones for that matter, as they might also be violating privacy, knowingly or unknowingly). My preferred solution is to outsource that process to a whitelisting service. Too bad these don't exist yet. In the meantime, mobile users are left with no real defense beyond common sense.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll