Malware Evolution: PC-based vs. Mobile

2012 signified the year where people started seriously thinking about mobile security and asking: how do we handle this new threat? The question was not merely one asked by uber-defense agencies (think back to Obama’s 2008 election and the debate surrounding the security of his Blackberry), but got the whole security industry thinking. A quick look at the multitude of 2013 predictions security trends published by the different vendors shows the rising concern regarding both cyber targeted attacks AND mobile threats.

Mobile security and targeted attacks are already receiving the attention of the main press. The NYTimes featured in August the uncovering of FinFisher – a mobile surveillance software mainly targeting high-ranking gov officials. Half a year later, on first day of the New Year, the NYTimes were already contemplating the implications of mobile malware as a widespread and growing concern to the whole population. In fact, paving a clear path from PC-based to mobile malware.

If and when antivirus makers are able to fortify desktop computers, chances are the criminals will have already moved on to smartphones.

In October, the F.B.I. warned that a number of malicious apps were compromising Android devices. And in July, Kaspersky Lab discovered the first malicious app in Apple’s app store. The Defense Department has called for     companies and universities to find ways to protect mobile devices from malware. McAfee, Symantec and others are working on solutions, and Lookout, a start-up whose products scan apps for malware and viruses, recently raised funding that valued it at $1 billion.
Obviously, security professionals are on their way to address this inevitable rising threat. As usual, taking a class in history (malware history, that is) certainly helps. But can we say that mobile malware will evolve similarly to PC-based malware?
The answer is a clear and resounding no. Not the same in terms of mass infection malware and not in terms of infection vectors.
Mobile Malware: iOS vs Android
While PC-based malware targets the masses – mainly through browser-based vulnerabilities, the developers of mobile operating systems learnt their lessons. Today’s mobile operating systems have enhanced security measures to restrict – as much as possible – the mass infections of these mobile devices.
Accordingly, the mobile malware has taken a different path than its PC-based counterpart. Let’s differentiate the measures taken by the two major mobile operating system providers. Each of the two providers delivers a different security level against the mass malware:
–       iOS: the Apple team developed their “walled garden” protection mechanism. In fact, this is a highly effective measure, as we can see by the very few reports of consumer-targeted malware infecting users of this operating system.
–       Android:Google has been working hard in order to protect their official Android Marketplace through security service checks. However, lacking a “walled garden” mechanism, attackers will continue to infect consumers with mass malware applications downloaded both from its official market and through its dozens of secondary application markets.
As we’ve seen, consumer-oriented malicious applications are not the only security plague when it comes to mobile malware. The second threat is mobile malware in the form of advanced persistent threats (APT). In this case, attackers focus on compromising the organization’s security via particular mobile malware. Used by attackers dedicated to cyber-espionage, this type of malware is sure to continue and evolve in the never-ending game of cat and mouse.
Mobile Malware: Infection Methods
The evolution of mobile malware – as opposed to PC-based malware – is found also through the infection vectors of the respective platforms.
Current mobile malware infection methods include:
–       Exploiting browser-based vulnerabilities. Although the security of mobile devices has improved than its PC-equivalent, this is not to say that the mobile browsers are foolproof –just more complicated. In the meanwhile, dedicated attackers are continuously finding ways to bypass the security measures. For example, past attacks focused on installing spyhone software by remotely exploiting vulnerabilities in an open-sourced library (i.e., Webkit), which is used by common browsers such as iPhone’s Safari and Google Chrome. But there’s more. As opposed to PC browsers, security issues associated with mobile browser-based vulnerabilities is exacerbated because of the mobile devices patching process. In these patching models, mobile built-in browsers are patched only through the system upgrade. So even though a browser-vulnerability has been disclosed, the device owners cannot patch their systems until a complete system upgrade is available.
–       WiFi Man in the Middle. Connecting to a rogue WiFi hotspot has always been a concern. But the prevalence of smartphones in individuals personal and business life, has made this infection vector much more common.
–       Distribution via application markets. As mentioned, distributing mass malware via application markets is a typical technique to infect consumer’s mobile devices- mainly with fraud-focused malicious applications.
–       Physical compromise. Hardly an occurrence on PCs, these are much more significant on the mobile. For example, much of the surreptitious surveillance software on iOS devices involves first jailbreaking the device through a USB cable.
Mobile Malware: New Problems Require New Solution
Ironically, similarities exist in the way some attempt to treat the two threats, which is through the usage of Anti-Virus (AV) solutions. Consequently, we can predict that within a year or two, mobile malware will develop AV-evasion techniques – just like its PC-based specimen. And just like its PC-equivalent, this method is bound to fail.
For example, a decade ago, PC Anti-Virus (AV) solutions were the ultimate solution to malware. However, recent research has shown that the “initial detection rate of a newly created virus is less than 5%” and furthermore, “for certain anti-virus vendors, it may take up to four weeks to detect a new virus from the time of the initial scan”.
We can expect mobile AV solutions to suffer from a similar fate.
The bright side? We should take advantage of past experience as well as invest in the study of mobile malware characteristics. By understanding the core mobile security issues, the security industry can develop innovative solutions which will address both the known and unknown mobile threats.