Since the late 1990s some doom-mongers in the computer security industry have been predicting a tidal wave of mobile phone viruses, impacting every hoody-wearing happy-slappy ringtone-downloading ASBO-carrying teenager in the land.
The reality has been rather different. Although some cellphone malware has emerged it should be regarded as a tiny drop in the ocean compared to the staggering amounts of Windows-based malware attacking desktops and laptop computers every day. Furthermore, the mobile viruses have typically been written by enthusiasts rather than financially-motivated criminals, and not spread very far – if at all.
But the recent in-the-wild outbreaks of malware for jailbroken Apple iPhones has lead some people to ask me if the situation is changing, and – if it is – what other operating systems might be at risk of having malware written for them?
It’s worth remembering that iPhones are only at risk from the Ikee and Duh worms if they have been tampered with by their owners, and left in an insecure state. The typical person who buys an iPhone is not going to find themselves at risk of infection from the current attacks as Apple has used some fairly strong-arm tactics to keep the environment under tight control.
But the fact that a financially-motivated worm followed so soon after the “mostly harmless” Rickrolling Ikee worm, suggests that criminals are looking to take advantage of mobile devices if they feel it makes commercial sense for them.
And what’s begun to make jailbroken iPhones an attractive target is not just the relative ease of infection (when users haven’t changed the default root password), but also its significant presence in the smartphone market.
An illustration of this comes in the form of new figures from Admob [PDF] which reveal that more people (55%) in the USA browse the web from a device using the iPhone OS than any other smartphone operating system.
Now, we all know only too well the danger of putting all of our eggs in one basket. Part of the reason why we’re in the mess we’re in with malware attacks, is the dominance of the Windows platform giving hackers a singular focus for most of their attacks.
And, to my mind, it would be bad if there was one dominant mobile phone operating system too. Fortunately, it doesn’t yet look like we’ve reached that point. While BlackBerry (RIM) and Palm have dropped in browsing percentage terms (and Windows Mobile is looking pretty pitiful), it’s becoming apparent that the Google Android operating system is going to be the main challenger for Apple in the future. At least, if we take these browsing statistics at face value.
So, could Google Android be the next platform to suffer from a mobile virus attack?
Perhaps.
One thing is certain, Android is a much more “open” operating system than iPhone OS and its users don’t have to jump through as many hoops to install applications that have not been made “officially” available on the Market.
But that doesn’t make it a certainty that Android will be the next operating system in the malicious hackers’ firing line.
Of course, it should be remembered that not all attacks are OS-dependent. Phishing attacks don’t care what operating system you are running – they just rely on you using a browser and not taking enough care about the link you are clicking on (something that’s pretty easy to do when you have a limited screensize to view a – perhaps – long url).
And increasingly we are seeing examples of threats which only exist “within the browser” or spreading entirely inside a social network, never touching your smartphone’s operating system.
So there are dangers out there whatever kind of browsing device you are using.
But do I think we’ll see more malware for specific mobile operating systems in future? Yes, it would be a fool who would argue against the possibility. But I think it will be a long time before it competes with “traditional” Windows malware as the main battleground for cybercrime.
Future attacks may exploit vulnerabilities in the browsers used by mobile devices, or take advantage of the kind of social engineering tricks we’ve seen hackers deploy time and time again.