Mobile Malware: No Big Deal?
Verizon’s security research team wants you to know that the odds of catching a truly serious malware infection are about 0.03 percent, about the same as the average odds of being struck by lightning during a lifetime. So should we worry? Read on for the details, and my recommendations...
How Common is Mobile Malware?
Verizon, in its annual Data Breach Investigation Report (DBIR) considers malware that does more than just annoy you with unwanted ads to be “high-level” and counts it towards that 0.03 percent. (Counting all “unwanted software,” Verizon’s DBIR partner Kindsigh Security Labs came up with 0.68%, more than 22 times the “high-level” infection rate.) The sample population is “tens of millions” of Verizon Wireless users.
How Verizon Wireless determines who has a malware infection is not revealed. That omission should provide fuel for conspiracy theories about Verizon “spying” on customers’ phones and tablets. The closest the DRIR report comes to admitting this is: “We feel safe saying that while a major carrier is looking for and monitoring the security of mobile devices on its network, data breaches involving mobile devices should not be in any top-whatever list.” (Let’s not be coy, “major carrier.” And please, use a cogent tech writer for next year’s DBIR instead of a flowery and imprecise PR hack.)
When it comes to operating systems, Android is virtually the exclusive target of malware that Verizon found. The DBIR says that most of the attacks on iOS (iPhone and iPad) devices in its study turned out to be Android malware that picked the wrong target and failed.
FireEye, a security research firm and one of the DBIR’s contributors, studied 7 million mobile apps on iOS and Android during 2014. Ninety-six percent of malicious mobile apps targeted Android, they found. Golfers, campers, and other outdoorsy types are more likely to be hit by lightning, and Android users are more likely to catch malware than iOS users. Still, the average rate of infections on both platforms is just 0.03 percent, or 0.68 percent if adware really annoys you.
Adware is often spyware, too, notes FireEye, collecting personal information from the user (often with the user’s cooperation!) and delivering it to who-knows-who. This observation seems to have escaped the Verizon authors of the DBIR. Advertising is an increasingly favorite way for app developers to pay their bills; FireEye says adware-laden apps increased from 300,000 in 2013 to 410,000 in the first three quarters of 2014.
Mobile malware, like the mayfly, is extremely short-lived, the DBIR reports. Four out of five new malware species vanish from the mobile ecosystem after just a week, while 95 percent survive no more than a month. A never-ending torrent of new malware variants enters the wild simultaneously, keeping anti-malware software on its toes.
Where Does Mobile Malware Come From?
One thing that bothers me about this report is that (like so many others that discuss malicious apps) it does not say whether the malicious apps came from the Google Play store, or some sketchy third-party app store. Downloading apps from the latter requires explicit permission from the user, and these third-party app sources are notorious for not policing submissions.
Verizon’s bottom line is that yes, Android mobile devices are clearly vulnerable to malware, but actual instances of "serious" infections are still very rare. The question they do not address is whether or not smartphone users should install anti-malware apps. To be fair, the DBIR report is focused on malware being used as an attack vector against business networks. But here's my opinion...
Two years ago, I wrote the following in Do You Need Mobile Security Protection?:
If your smartphone activity is centered on talk, text, email or web browsing, I don't see a risk that warrants anti-malware protection. If you're into apps, follow these rules to stay safe:
- Don't download from third-party app stores such as GetJar, where oversight is lacking or less stringent. If you're outside the USA, be aware that malware abounds in Chinese and Russian app markets.
- Before downloading an app, check the permissions that the app is requesting. If an app wants permission to make phone calls; the ability to send, receive or access your SMS messages; or access to your contacts, calendar or camera, those may be red flags, unless it seems obvious that the app would need to do those things.
- Don't download apps that have been on the market less than a month, and only then if they have several thousand downloads and lots of good reviews.
I stand by those recommendations, but if you feel that you need additional protection, AV-TEST has a list of mobile anti-malware apps, along with ratings and reviews. You'll find products from familiar security vendors there, including AVG, Avast, Avira, Bitdefender, Kaspersky and Norton.
Have you experienced a malware problem on your mobile device? Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 1 May 2015
|For Fun: Buy Bob a Snickers.|
Whose Car Is It Anyway?
The Top Twenty
Install Google Password Alert?
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Mobile Malware: No Big Deal? (Posted: 1 May 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved