Mobile Malware Epidemic Looms
I know it’s a tad early for new year predictions but I’m going to beat the rush and make mine now: 2012 will be the year of mobile malware.
That’s an easy prediction to make, because if you look at the numbers 2011 was really the year of mobile malware, but only a handful of people have been paying close attention. Next year you won’t be able to avoid hearing about it, and if you carry anything remotely “smart” in your pocket – and you don’t carry adequate “protection, as we used to say in high school -- you may become a victim of it.
(See also "Mobile Malware Reality Check.")
The latest figures from Juniper Networks bear this out. According to the Juniper Global Threat Center blog, the number of malware-laden apps available for Android devices jumped 472 percent since July. That’s right – there are nearly five times as many nasties available for the Android platform as there were just five months ago.
What does that mean in real numbers? I asked Dan Hoffman, chief mobile security evangelist for Juniper. He declined to put an exact number on the amount of Android malware, but he did say bad apps number in the “tens of thousands” and that 5 to 6 percent of the mobile devices that Juniper monitors have been infected.
The biggest threat to Android users may be “pirated” apps, says Hoffman – programs that look and feel like a legitimate software package but contain a malware payload. For example, a piece of malware masquerading as the Opera Mini Browser appeared in the Android market last month. The PowerAMP media player is another app that recently got pirated, notes Juniper.
Those two bogus apps were distributed via third-party app stores – notorious snakepits for nasty apps. But even the main Android Market is vulnerable, says Hoffman, thanks to Google’s hands-off app approval policy. Because the apps aren’t fully vetted, the Android market is low-hanging fruit for cyber thieves – a notoriously lazy bunch.
As you can see in this wicked cool infographic created by Juniper, the malware falls largely into two categories: SMS Trojans, which install apps that send bogus text messages to numbers owned by the malware authors (or their business partners) and charge you $2 to $3 per text; and outright spyware that can paw through your e-mail, read your texts, and otherwise capture the personal or business information you have stored on the phone.
(Also: I predict 2012 will be the year of the wicked cool infographic. Pass it on.)
It gets worse. At this point in time the mobile anti-malware market is desperately playing catch up to the criminals. There are a ton of free apps in the Android store that claim to protect your device, for example, but unfortunately they’re worth exactly what you paid for them (PDF), according to AV-Test.org, a well-respected testing lab in Germany. Commercial (ie, paid) products fare better, says lab director Andreas Marx, though AV-Test has not yet released results for those.
(Memo to Apple fanboys: Before you get too smug, read this. Last week, noted security researcher Charlie Miller managed to sneak a malware laden app past the App Store mandarins, just to prove he could. Miller’s fake stock ticker, titled “Instastock,” was approved for sale last September. Once installed, it phoned home to Miller’s server and downloaded a harmless file. A malware author could have easily done the same thing, only downloading malicious code instead.
Miller's reward for showing Apple that it, too, is vulnerable? They kicked him out of the app developers program. Nice going, guys.)
Hoffman says Juniper has just struck a deal with AT&T, which plans to offer the company’s Junos Pulse security app to its mobile customers.
His advice: Treat security on your mobile device the way you do with your desktop or laptop: Pony up some cash for a real security program, and be very wary of what you download to your device and where it comes from.
“I recommend always going to the vendor's Web site and following the download link from there,” he says. “Read reviews for the app that are published outside the app’s page in the market. That may cost you an extra three or four minutes per download, but it’s well worth it.”
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynan on tech. For the latest IT news, analysis, and how-to’s, follow ITworld on Twitter and Facebook.