Turning tide? Malware on the smartyphones

For years, I’ve been saying the same thing about malware for the smartyphones – namely, that it’s dumb.  Why is that, you ask?  My point has always been that we’re just not seeing phone-based malware in the wild.  So why are you going to implement anti-malware for a platform that doesn’t have any in the first place, amirite?

But recently, it looks like there’s been some hype – both around malware on the Android platform as well as anti-malware solutions also for that same platform.  In light of the new evidence, I’m starting to rethink my opinion on this whole deal.

Here’s my thinking:  I’ve always held that malware development for the smartyphone platform (if, by the way, you’re wondering why I keep saying “smartyphones”, start watching The Good Guys – it’s worth it) would be gated by several factors.  Namely:

• profit potential of malware for the smartyphone
• ubiquity of the phone platform
• complexity of phone feature-set

And we’re starting to get pretty close.  Unlike proof of concept malware like Commwarrior and its ilk, the Android malware discovered last week actually satisfies the profitability criteria – by sending SMS messages to premium text services.  Meaning, an attacker can actually commit fraud using the phone as a vector.  Couple this with the geometric increase in the use of the platform and the fact that the phone is feature-rich (i.e. fully internet-capable) and you start to see an appealing platform for malware developers to target.

Of course, I’m not surprised to see anti-malware software for android – after all, there is no gate for someone to develop an anti-malware solution.  There doesn’t even have to be any malware for a platform for someone to target it for an AV product.

I’m going to continue to watch this for developments.  But I think we could be very close to a shift where phone-borne malware goes from a “meh” to an actual problem.  Not there yet, but maybe on the road to it.