Valid criticism; you’re totally right about everything you say – smartphones are the only succeptible platform and I agree that the likelihood of this being an issue is related to the density of smartphone use (i.e. higher in Europe/Asia.)

I bring this up not because I think that we shouldn’t study phone-borne malware (I think we should), but only because people hear about phone-borne malware and start to panic – which I think is excessive… Like, in the case of yesterday’s article or the SANS report, I don’t think it’s a “top trend in information security.” (A trend certainly, but I don’t think a “top trend.”)

Statistically, I’m more likely to be impacted by a targeted phish or by identity theft than by phone-borne malware. This distracts (in my opinion) the “easily captivated by the trade press” crowd from the more common stuff… Like, I’d rather the security guy that sets budget for my bank read an article that says “identity theft a top trend for 2007″ and budget in extra fraud-protection vs. reading the phone-malware thing and buying AV for employees’ cellphones…

-E

the way you’ve framed it i could analogously show that the chances of catching the flu are exceptionally low based on the probability of a mammal catching the flu…

let’s start with some additional facts… one is most mobile malware today can only run on a very small percentage of the cellphones out there specifically the so-called ‘smartphone’… advances in malware coding are not likely to change this as most cellphones in existence are just cellphones rather than little computers that can make phone calls…

if you don’t have a vulnerable phone then your chances of getting cellphone malware is 0… if you do have a vulnerable cellphone then your chances of getting cellphone malware is much higher than 0 and potentially much higher than the figure you’re quoting, depending on population density of vulnerable devices in your area and your own sociability and travel habits (since bluetooth worms have an epidemiology roughly equivalent to that of an airborne biological virus)…

smartphones aren’t nearly as popular in north america as they are in europe or asia so even if one does have a vulnerable phone one is at much less risk in north american than one would be in europe or asia… additionally, if one doesn’t go to places where there are lots of people (like stadiums, airports, etc) then one is also less likely to come in range of an infected device and therefore at less risk…

peter lind questioned the reality of the mobile malware threat as well back in july (http://spiresecurity.typepad.com/spire_security_viewpoint/2006/07/mikko_hypponen_.html), just as an additional datapoint (well many additional datapoints if you consider the month’s worth of comments the post generated)…

i think it’s clear that mobile malware is a real threat *in some places*, but probably not comparable to what we’ve grown accustomed to with windows malware…