Mobile device malware growing, but smartphone threats still small

For several years running, security researchers have predicted that mobile malware will be the next big thing, but how concerned should organisations really be?

Most security firms are predicting a rise in malware targeted at smartphones in 2011, but most also agree that the volume of mobile device malware will remain relatively small.

In the last five minutes more PC viruses have appeared than all the mobile malware in history.


Luis Corrons,
technical directorPanda Security SL

 The huge increase in the use of smartphones makes the devices an obvious target for criminals, but, so far at least, one vendor's findings suggest attacks against mobile phones are still small-scale compared to those against Windows PCs.

According to Dublin-based AdaptiveMobile Ltd., which provides security software to telecommunications companies, the number of attacks on smartphones rose by 33% in 2010, and exploits on Android-based phones quadrupled.

Cathal McDaid, a security consultant at the company, declined to disclose the number of smartphone malware incidents his firm tracked this year, but said: "Numbers of exploits are still small, but we see 2011 as a really pivotal year in the mobile security area, because the market is getting bigger, phones are becoming more sophisticated, and we are starting to see devices used as mobile wallets."

Once users begin carrying out financial transactions from their smartphones, he said, the criminals will be even more attracted to the platforms. The current smartphone viruses put mobile subscribers at risk of monetary, privacy or data loss, he said, often before the user realises there is a problem.

According to AdaptiveMobile , smartphones running Java-based applications saw a 45% increase in malware in 2010. Exploits aimed at the iPhone declined, whilst new malware targeting the Symbian OS also fell by 11%. WinCE-based viruses rose by 7%.

However, Luis Corrons, technical director of Panda Security SL, warned that smartphone threats should not be exaggerated. "Security companies have been forecasting the year of mobile malware for several years," Corrons said, "and it has never happened -- so far."

 "Mobile malware will not take off in 2011. It will increase a lot, and the Android could be a serious target for criminals, but we are still talking very small numbers."

He said what while the Windows PC offers criminals a huge target, the smartphone market is still quite fragmented with different devices, operating systems and ways of deploying those operating systems. In addition, he said, users do not store enough valuable information on their phones to make it worthwhile for the criminals.

"In the last five minutes," Corrons said, "more PC viruses have appeared than all the mobile malware in history."

But even if the virus numbers stay low, there is no doubt that smartphones will attract criminal activity. "Mobile devices are a gold mine of personal and confidential data," said Patrik Runald, senior security research manager for San Diego, Calif.-based Websense Inc.

"Cybercriminals will successfully use mobile drive-by download attacks to steal confidential data and expose users to malicious content." He also predicted that many mobile attacks will exploit the mobile Web browsers in the iPhone, iPad and Android-based devices, and that rogue applications will also increase in number and sophistication.

And as AdaptiveMobile's McDaid says, many security breaches will come about, not because devices are infected, but because users are not taking care when viewing phishing messages or visiting social networking sites.

"All platforms have weaknesses and all are susceptible to a phishing attack, or to a location-reporting application," McDaid said. "If you get an SMS message asking you to ring this premium-rate number, and you call it, it's going to be no consolation knowing your platform is secure."

Read more on Hackers and cybercrime prevention