Mobile Malware Exists To Steal Your Data - InformationWeek
Government // Mobile & Wireless
12:07 PM
Connect Directly

Mobile Malware Exists To Steal Your Data

It's not entirely clear how big the mobile malware problem is, but it is clear that data breaches are the main threat it poses.

Is mobile malware for real? This was the first question at my favorite panel discussion at last week's RSA Conference 2012 in San Francisco. It's a question that has to be asked because "mobile malware" has been a security bogeyman for years.

It's more real than it's ever been, mostly because of an inviting architecture in Google's Android and, as a result, mobile malware is overwhelmingly an Android phenomenon these days, aside from some legacy malware for dying platforms such as Symbian.

But the really interesting point on which all panelists agreed was that the threat model for Android malware is different from that of conventional PC malware and therefore catches some users by surprise.

Because the Windows PCs it attacks are so powerful and plentiful, Windows malware can do a lot. It sets up botnets. It is remotely updateable. It spreads itself. Users usually don't notice for a while, if ever.

[ Respected antivirus lab AV-Test compared 41 Android anti-malware products for detection capabilities. Here's what they found. ]

Android malware is different. It's on a relatively weak device with a (probably) relatively slow connection and the software is sandboxed to limit its capabilities. But there is one thing on the phone worth going after: Your data. The threat model for mobile malware is the monetization of your personal data.

You'll find this behavior in surprising places. Consider the Pandora scandal of last year where it turned out that the company had used third-party libraries in its app that transmitted "mass quantities" of personal data to advertising agencies in violation of the privacy policy.

Android's permissions-based model is ill-suited to this problem. Even putting aside the fact that few users read them or understand their implications, the permissions necessary for an app to violate your privacy are generally reasonable ones: transmit data on the Internet, perhaps access your contacts or even your e-mail. It's not hard to imagine apps to which you would grant such permissions.

There's no way users can properly investigate the hundreds of thousands of Android apps available (or the iOS ones for that matter, as they might also be violating privacy, knowingly or unknowingly). My preferred solution is to outsource that process to a whitelisting service. Too bad these don't exist yet. In the meantime, mobile users are left with no real defense beyond common sense.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll