Security Curve Weblog

Mobile Malware vs. the Goat Sucker

Have you ever heard of "El Chupacabra?" Well, just in case you haven't, El Chupacabra (in English, the "goat sucker") is a South American spiked, fanged, goat-eating beast that strikes terror in residents of Puerto Rico and (more recently) South and North America. There've been hundreds of Chupacabra sightings in the past decade, and there are thousands of people (smart, educated people) the world over who swear that the Chupacabra exists. But scientists disagree. Scientists argue that the Chupacabra is "mass hysteria" ("folie à plusieurs") - they argue that individuals have been subjected to sufficient "hype" to induce themselves to believe in absence of fact. This is not a slight against Chupacabra believers - after all, such a creature *could exist*, tons of reputable people believe in it, victims (mostly exsanguinated goats) have been found, etc. I'm not going to say that it doesn't exist - but I will say that I think it to be unlikely; just because something could exist doesn't mean that it does...

So who cares, right? What does "El Vampiro de Moca" have to do with Information Security? Simple. I think we have a similar form of mass hysteria in Infosec. I think there's a phenomenon (like the Chupacabra) that could exist probably doesn't, that's perpuated by hype, that continues to gain interest in absence of fact, in spite of research, and contrary to the evidence.. I'm talking about, phone-borne malware.

Clearly, there's no absence of hype. Take, for example, the recent Infosecurity Europe show; a hotbed of mobile malware paranoia. McAfee spread the word that "An effective mobile virus is coming; maybe not tomorrow or this year or even next, but it's coming" and "Mobile viruses have definite financial possibilities because there's a clear return... we are on the cusp of an attack." And while McAfee doesn't provide any evidence to substantiate that claim, F-Secure makes claim that new mobile malware is rapidly spreading (only to later grudgingly retract those statements, as there really is no such malware after all.) Clearly, tons of hype, right? It's become so bad that it's starting to impact the way we do business.

But what's the reality? Well, for one thing, the phone manufacturors aren't (in their words) "breaking a sweat" over the possiblity. And why should they? How much phone malware has there really been? A few proof-of-concepts (like Commwarrior and Cabir)? A few strains that require explicit user intervention in order to propagate? Clearly, a user having to respond in the affirmative to the "Infect the machine?" prompt is unlikely to generate a tremendous number of infections in the wild. Ok, ok, so the prompt doesn't really say "infect the machine?", but is "Install Commwarrior?" really that stealthy by comparison? Yeah, I thought not.

There are tons of reasons why mobile malware is unlikely to occur: for example, the lack of a ubiquitous substrate within which to propagate (i.e. smartphones are different from each other and there aren't may of them), the lack of a constant API and featureset on the device, and the lack of a reliable vector for transmission. But the reasons don't matter - what matters is the hype. There is no documented, viable, mobile malware - but since it's in the realm of possiblity that some could develop in the future ("on the cusp" as McAfee says), it continues to fire up the industry and get the press. Analysts call attention to the overblown press and the folks working with this day by day tell us that this is a non-issue but every day, the hyperbole increases.

As for me, until something changes, I'm filing "phone-borne malware" in the back of the closet until the evidence catches up to the hype.

Posted by Ed at May 1, 2006 10:18 AM | TrackBack