Mobile Malware Set to Explode, Security Pros Say

October 4, 2011 Alex Woodie

You knew it was just a matter of time before cyber criminals began targeting smart phones–not just writing the occasional bit of malware, but really targeting mobile platforms with purpose. That time has now arrived, according to IBM‘s X-Force security organization, which issued a new report last week that warned of the coming explosion of security problems in mobile devices.

The number of mobile exploits observed in the wild is on pace to double this year compared to 2010 numbers, X-Force says in its 2011 Mid-Year Trend and Risk Report released last week. At the beginning of 2010, malware writers had crafted about 15 exploits to take advantage of vulnerabilities in mobile operating systems, according to the X-Force report. By the beginning of 2011, there were nearly 35 documented exploits.

The creation of mobile exploits is expanding at a rate greater than 2x, despite the fact that the growth rate of underlying vulnerabilities is declining. According to the X-Force report, there were about 60 total mobile OS vulnerabilities at the start of 2009, and more than 160 at the start of 2010. At the start of 2011, there were about 185.

“For years, observers have been wondering when malware would become a real problem for the latest generation of mobile devices,” Tom Cross, manager of Threat Intelligence and Strategy for IBM X-Force, says in a press release. “It appears that the wait is over.”

IBM X-Force says some developers of mobile phone operating systems are not issuing updates as fast as they should, although it did not name vendors. Google‘s Android and Apple‘s iOS are by far the most popular mobile device platforms, accounting for the bulk in the estimated 270 million smartphones to be sold this year.

Android is widely regarded as a rich target for cyber criminals. This is due to Android’s openness and Google’s reliance on users to ferret bad apps out of the Android marketplace. For example, a criminal can post a piece of malware in the “banking apps” section, and potentially steal the users’ authentication information for accessing accounts. Apple, on the other hand, runs a much more closed shop with iOS, and maintains strict controls over iOS apps made available for downloads through its store.

Juniper Networks‘ Global Threat Center said in May that it had detected a 400 percent increase in Android malware. Despite the large increase in malware, the vast majority of mobile users don’t have any kind of antivirus or security software installed on their devices.

The problem is compounded by the fact that some pieces of malware masquerade as anti-malware. There is also confusion over whether some legitimate anti-malware software can do bad things to a user’s device. Those Quick Response (QR) codes that are popping up everywhere are also being used by hackers to load malware on user’s mobile phones.

It can be quite easy and straightforward for cyber criminals to monetize their nefarious mobile activities. Once a malicious app or Trojan is downloaded and installed, the malware simply sends SMS messages to premium-rate phone numbers. This results in a charge to the victim’s mobile phone account and income for the criminal. IBM also warned about the potential for mobile malware to steal the victim’s personal data, which can be used for identity theft or targeted phishing attacks.

IBM i shops, which are moving toward mobile- and tablet-based client interfaces as quickly as they are developing Web-based front-ends to their apps, should heed the warning and equip their employees’ mobile devices with the anti-malware and patch management software necessary to keep the devices and their employees secure.