SecurityCurve Weblog

Phone Malware (again)

I'm getting sick of the whole "malware on the phone" propaganda; I've been saying that phone-borne malware is not "brewing like bird flu" for years now. However, every few weeks, the press picks up and runs with some story about how huge a problem it is. The stories typically have quotes from certain AV vendors spinning a tale of woe about how phones are a ticking time-bomb of infestation - a veritable petri dish of scum. I would like to (once again) attempt to put this into proper perspective.

For example, this week BusinessWeek is running a story called If Not Now, Soon about how Mobile Viruses are going to be a huge issue in 2006 - or if not in 2006, then at least by 2009. The thing about making predictions four years out is that nobody remembers (or cares by that point) whether or not they come true.

I'm not saying that the article is in the wrong - I am saying, however, to read between the lines of who says what. First and foremost, who is the loudest voice in the phone-borne malware camp? In this article, the sources most quoted are Trend Micro and Symantec; in other articles, you'll see names like F-Secure, McAfee, Sophos, etc. These are all vendors who have some interest in selling phone-borne malware products; these vendors are not dishonest - they just believe that malware is the most important thing (hence why they are in the AV business.) From their point of view, of course phones will run malware - why wouldn't they?

Look, it's going to take a lot more than smarter phones to make malware a problem on these platforms. There are a number of reasons that phone-borne malware isn't huge over and above smarter phones: phone models and brands are diverse, there's not a ubiquitous population of smart-phones, inter-phone application sharing is rare, etc. In other words, we don't just need a change in how many smart-phones are out there to see the malware rate increase, we need a fundamental change in the way that people use their phones. Take, for example, mass-mailers; on the PC, these spread because we are used to opening executable content from friends. When was the last time you exchanged executable content with a friend via your phone? Never? Once? Until how we use the phone changes, mass-mailers are unlikely to work.

Look, my point isn't that phone-borne malware is a non-issue - it's important to keep your head out of the sand. All I'm saying is to use discretion when reading articles like this. Right now, the generally-recognized "malware experts" are the AV folks - and the AV folks are predisposed to see stuff like this as a huge issue (when maybe it isn't all that big after all) because of the business they're in.

Posted by Ed at January 9, 2006 10:10 AM