Security software vendors like to bleat about how mobile phones will be the next big target for malware writers. Mobile operating systems are becoming a lot like PCs, they say. PCs have lots of malware. Therefore smartphones will have lots of malware. Security vendors are hoping this will become true so they can sell mobile security software.
However, there is no monoculture for mobile operating systems. There are at least four major mobile operating systems (iPhone, BlackBerry, Android and Symbian) and one minor one (Windows Mobile, which is falling fast). If you are writing malware, which one do you write for? Answer: none of them.
Further, mobile phones have much smaller attack surfaces compared to PCs, with no (or very few) listening network ports. And the operating systems themselves are locked down. As well, most of the demonstrated attacks have been very impractical. For example, the iPhone “malware” that made the rounds several months ago only affected phones that users had jailbroken.
Andrew Jaquith, senior analyst, Forrester Research
Anyone who believes that the mobile malware threat is overblown clearly has no knowledge of the history of the internet and computer industry. Over the last two decades, criminals have taken over phishing, malware, virus and spam distribution. They have consistently targeted every computing device and technology ever introduced and that constant assault has reached pandemic proportions. Add the smartphone. It has become part of the enterprise, is our email and entertainment device, and we conduct banking and other private affairs wherever and whenever we want. Smartphones are just computers that include a telephone. There are nearly 600 million of them worldwide, naked and unprotected. We need to prepare for the inevitable onslaught. Of course, smartphones are going to be the targets of criminals. Any other conclusion is naive, reeks of hubris and merely amplifies the industry’s past errors that have cost us all dearly. What if there were 600 million laptops without internet security? Would you call that threat overblown? How is this different?
Rob Smith, CTO & CEO, Mobile Application Development Partners