A few months back, a friend of mine gathered a bunch of his buddies for drinks at a local bar.
The last of these friends had just gotten an iPhone, and the lot of them grabbed their phones and clinked them together in the geekiest of geeky toasting gestures.
Congratulations, you’ve joined the collective! Once I’d gotten over the mortification that I’d just observed my friends doing this in public, it got me thinking. Have iPhones and Androids finally reached the critical point where they’ve taken enough of the mainstream market and achieved sufficient power that malware authors will finally take them seriously in their development efforts?
Later, when I was at this year’s DEFCON, the most popular tracks seemed to be those focusing on exploiting mobile phone vulnerabilities. Or at least that is the impression I got, jammed in a hallway with thousands of other people trying to get a chance to cram into the same small conference room.
It is hard to say that anything which is pwned at DEFCON or Black Hat is truly ready for malware primetime, as there is such cachet in hacking the newest/coolest toy over the old standbys.
So I reserved judgment. It was really during the next week after the conference that it began to look ugly for these popular phones.
Apple released a security update for iOS to patch a vulnerability brought to light by JailbreakMe, and the first SMS trojan was found in the wild, which caused Android users to automatically send messages to premium pay-per-text services. That last one in particular shows an interest in monetized malware.
Now, it is speculated that the next iPhone will contain Near Field Communication (NFC) technology, which will enable it to be used as a mobile wallet.
Outside of the United States, this technology has already been in use for quite some time with little issue. Will the iPhone bring NFC to a wide-enough audience that it will be of interest for financial malware? Will it cause enough demand that more popular new phones will have to include the technology as well?
We still have not had a Melissa virus-level mobile malware event, and it is conceivable that it will remain a fringe trend even with all of these enticing (for criminals) qualities.
I doubt that the average home user will be clamoring for security software on their phones for quite a while, certainly not with the same gumption they seek security software on their Windows PCs.
I do expect that there soon will be enough attacks on corporate users that security-conscious companies will need to specifically address their ability to access corporate network resources.
I’m beginning to hear grumblings of this trend already starting to occur. In the meanwhile, we can take our security where we can get it.
If you’re a phone owner, the advice is nothing new: Don’t enable Bluetooth until you need it, install those security patches from the vendor’s site and don’t download unapproved applications.
And if you’re a network administrator, now is a good time to consider a policy for these devices within your environment.