Mobile Malware Exists To Steal Your Data - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Mobile & Wireless
News
3/6/2012
12:07 PM
Connect Directly
Twitter
Facebook
LinkedIn
RSS
E-Mail
50%
50%

Mobile Malware Exists To Steal Your Data

It's not entirely clear how big the mobile malware problem is, but it is clear that data breaches are the main threat it poses.

Is mobile malware for real? This was the first question at my favorite panel discussion at last week's RSA Conference 2012 in San Francisco. It's a question that has to be asked because "mobile malware" has been a security bogeyman for years.

It's more real than it's ever been, mostly because of an inviting architecture in Google's Android and, as a result, mobile malware is overwhelmingly an Android phenomenon these days, aside from some legacy malware for dying platforms such as Symbian.

But the really interesting point on which all panelists agreed was that the threat model for Android malware is different from that of conventional PC malware and therefore catches some users by surprise.

Because the Windows PCs it attacks are so powerful and plentiful, Windows malware can do a lot. It sets up botnets. It is remotely updateable. It spreads itself. Users usually don't notice for a while, if ever.

[ Respected antivirus lab AV-Test compared 41 Android anti-malware products for detection capabilities. Here's what they found. ]

Android malware is different. It's on a relatively weak device with a (probably) relatively slow connection and the software is sandboxed to limit its capabilities. But there is one thing on the phone worth going after: Your data. The threat model for mobile malware is the monetization of your personal data.

You'll find this behavior in surprising places. Consider the Pandora scandal of last year where it turned out that the company had used third-party libraries in its app that transmitted "mass quantities" of personal data to advertising agencies in violation of the privacy policy.

Android's permissions-based model is ill-suited to this problem. Even putting aside the fact that few users read them or understand their implications, the permissions necessary for an app to violate your privacy are generally reasonable ones: transmit data on the Internet, perhaps access your contacts or even your e-mail. It's not hard to imagine apps to which you would grant such permissions.

There's no way users can properly investigate the hundreds of thousands of Android apps available (or the iOS ones for that matter, as they might also be violating privacy, knowingly or unknowingly). My preferred solution is to outsource that process to a whitelisting service. Too bad these don't exist yet. In the meantime, mobile users are left with no real defense beyond common sense.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
Slideshows
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
News
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Slideshows
Flash Poll