Mobile Malware Exists To Steal Your Data

Is mobile malware for real? This was the first question at my favorite panel discussion at last week's RSA Conference 2012 in San Francisco. It's a question that has to be asked because "mobile malware" has been a security bogeyman for years.

It's more real than it's ever been, mostly because of an inviting architecture in Google's Android and, as a result, mobile malware is overwhelmingly an Android phenomenon these days, aside from some legacy malware for dying platforms such as Symbian.

But the really interesting point on which all panelists agreed was that the threat model for Android malware is different from that of conventional PC malware and therefore catches some users by surprise.

Because the Windows PCs it attacks are so powerful and plentiful, Windows malware can do a lot. It sets up botnets. It is remotely updateable. It spreads itself. Users usually don't notice for a while, if ever.

[ Respected antivirus lab AV-Test compared 41 Android anti-malware products for detection capabilities. Here's what they found. ]

Android malware is different. It's on a relatively weak device with a (probably) relatively slow connection and the software is sandboxed to limit its capabilities. But there is one thing on the phone worth going after: Your data. The threat model for mobile malware is the monetization of your personal data.

You'll find this behavior in surprising places. Consider the Pandora scandal of last year where it turned out that the company had used third-party libraries in its app that transmitted "mass quantities" of personal data to advertising agencies in violation of the privacy policy.

Android's permissions-based model is ill-suited to this problem. Even putting aside the fact that few users read them or understand their implications, the permissions necessary for an app to violate your privacy are generally reasonable ones: transmit data on the Internet, perhaps access your contacts or even your e-mail. It's not hard to imagine apps to which you would grant such permissions.

There's no way users can properly investigate the hundreds of thousands of Android apps available (or the iOS ones for that matter, as they might also be violating privacy, knowingly or unknowingly). My preferred solution is to outsource that process to a whitelisting service. Too bad these don't exist yet. In the meantime, mobile users are left with no real defense beyond common sense.