If you use it, mobile malware will come

IT people who try to secure mobile devices in a big company face three big conceptual problems.

First, many, if not most, of the smartphones and tablets are from Apple. Both veteran and rookie users tend to believe Apple devices aren't vulnerable to malware and hacks, so users don't need to take any precautions.

Second, even non-Mac users tend to think security is already built in to their smartphones or tablets, so they also resist efforts to install anti-virus, firewall or other additional security on what are often their own systems.

Third, the fastest-growing malware segment targets Adobe applications rather than the traditional browser or operating system, doing an end-around the expectations of both users and many IT security people, according to analysts at the security firms McAfee and Commtouch.

The sense of security that Apple users have comes from the Mac. Mac users have been trained to feel safe because Apple averages 6 percent to 8 percent client OS market share, which has encouraged malware writers and bot-net builders to aim at Windows machines instead, according to Alex Stamos, a security analyst at iSec Partners.

Android Takes the Malware Lead

The August edition of security firm McAfee Labs's quarterly threat report (PDF) found that the number of malware threats rose faster during the first six months of this year than ever -- 22 percent faster than last year, which held the previous record.

Among mobile devices, malware aimed at Google's Android OS increased in number 76 percent compared to the year before, taking the lead from Symbian, previously the most-threatened smartphone operating system. Still, though it leads smartphone OSes in the number of malware threats, McAfee found only 44 specifically aimed at Android. But given there are 425,000 iOS apps on the market compared to about 200,000 for Android, the difference in availability of malware is remarkable.

And it is causing some damage. During the first half of 2011 about half a million Android users were infected with some form of malware; the number of infected Android apps skyrocketed from 80 in January to more than 400 by June, the Lookout report found.

By the end of 2012, 5 percent of all Android and iOS phones or tablets will have been infected at least once by viruses or trojans - most likely versions designed to steal information about users' bank accounts, not just prove it's possible to infect an iPhone, according to a report from security vendor Trusteer and its CEO Mickey Boodaei.

The fantastically successful Zeus malware kit, which is designed to steal banking information, has been found running effectively on every major phone OS except iOS, according to Sophos virus research Vanja Svajcer.

iOS Faces Far Fewer Threats

So far, however, McAfee has found not one single credible threat from trojans, viruses or rootkits designed for iPhones, iPads or anything else running Apple's iOS.

Rival security firm Commtouch did find one iPhone virus hosted on a malicious Web site to which users were directed by spam emails that claimed to offer photos of the"iPhone 5G S." Instead it downloaded a trojan called iphones5.gif.exe.

Part of the reason iOS malware is so rare is that it's easier to develop for the open-source-modeled Android than the closed and proscribed requirements of iOS, the report found.

Unlike desktop and laptop machines, which are usually infected by malicious attachments in email or visits to poisoned web sites, the most common infection point for smartphones is an app poisoned by hackers and downloaded by users who assume it is clean, according to a July report from Lookout Mobile Security.

That explains why Android devices are more vulnerable than iOS. It's easier to distribute malicious software through the comparatively uncontrolled Android apps market place as compared to Apple's iTunes App Store because Apple spends more time vetting the apps, Stamos said. So far the most common infection method is poisoned versions of legitimate apps that appear in an Android App Store.

None of the commonly available malware or hacking toolkits include canned exploits or virus frameworks designed for the Mac, so "script kids" without extensive programming skills of their own have a much harder time attacking iPhone than Windows, he said.

Aside from Apple's efforts to filter malware out of iOS distribution points, the operating system also has a more effective sandbox in which to run third-party applications even than Mac OS X Lion server. All third party apps get access to the same data, but are controlled more closely and have to ask the OS for information such as location data rather than retrieving it themselves, according to the Lookout report.

The almost non-existence of malware for iOS doesn't mean there are no threats, especially those hidden on malicious web sites that could attack using Java, HTML5 or other code that iPhones support, but which are not exclusive to iOS.

The major risk to iOS devices is jailbreaking them, which enables them to run apps other than those from Apple's iTunes App Store, thus opening the device to more threats. So far, however, even jailbroken iPhones have not been found to be infected, Stamos said, but that won't last long.

Closing the Open Book

All handhelds are vulnerable to total data loss if they're left behind in airports or coffee shops, according to IDC research analyst Ian Song. That's because few handheld users encrypt all their data or require a password to access them every time the screen goes dark, so any lost smartphone is, essentially, an open book.

The best option for that problem is to use only smartphones whose storage can be wiped clean or reformatted remotely, whether by administrators or by the user. Apple, for example, provides wipe and lock services for customers who lose their iPhones.

"Otherwise there's nothing you can do but call it and maybe someone will mail it back to you," Song said.

Don't Rest Easy

Still, hackers have a wide range of doors through which they can slip with smartphones, analysts said -- via Bluetooth, Wi-Fi and 3G connections if they can crack the encryption; even SMS messaging.

Aside from embedding malware that can corrupt the phone while it's running, it's possible to intercept or spoof data signals, especially SMS traffic, which can be used to infect and control an Android phone.

The upshot, for both Android and iOS users?

"A phone is a computer, and it needs the same kind of security as a computer -- firewalls, antivirus, backup," Song said. "If you don't treat it as a potential risk, eventually it's going to bite you."

Join the PC World newsletter!

Error: Please check your email address.

Tags mcafeesecuritymobilemalware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Kevin Fogarty

Show Comments


Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?