Self-interest is behind a lot of the mobile malware reports from anti-virus vendors. Hardly a day goes by where I don’t receive an email from a vendor pushing its latest research on malicious software raising havoc on Android smartphone users, usually in Eastern Europe, the Russian Federation or Asia.
Malware risk remains small
While the malware is real, the threat to people outside the affected regions are small. In the U.S., most people head to the official Android app store, Google Play, where it’s unlikely they will download a booby-trapped app. Third-party app stores easily infiltrated by criminals are much more popular outside the U.S.
With Apple’s iPhone the chances of infection are even less, because the company tightly controls the distribution of software through its App Store. While no defense is impenetrable, Apple’s wall is pretty high for criminals to climb.
Charles Kolodgy, a market researcher for IDC, recently told Bloomberg that just 5% of smartphones and tablets globally have security tools installed.
“Users don’t believe there is much of a threat to these devices,” he said. “There has yet to be — and probably never will be — a massive worm, virus or Trojan.”
Large anti-virus vendors are often reluctant to hand out usage numbers for their mobile products. When they do, the numbers are often “obscured or inflated,” Bloomberg said.
Certainly, there’s been cases where hapless Android smartphone users are tricked into installing malware. However, most of the time the malicious app secretly sends text messages to premium rate numbers. While this is an annoyance, the damage is small and again, such scams usually occur outside the U.S.
The greatest threats
So what are the greatest threats? Well, corporate employees are definitely one of them. A survey of 500 businesspeople by market research firm uSamp found that more than 40% used their mobile devices to share documents using cloud services, such as DropBox or Google Docs, despite corporate policies prohibiting the practice. The firm estimates that data leaked to unsanctioned services costs U.S. companies $2 billion.
Theft or employees losing smartphones are also major threats, since the result can be the exposure of corporate data. More than a third of mobile devices are either lost or stolen, according to Giri Sreenivas, vice president of mobile for risk management vendor Rapid7.
Terminated employees are also a major threat, Sreenivas said. Roughly half of fired workers do not believe it’s wrong to steal corporate data.
Ad-supported apps, such as games, are also a big problem, when downloaded by employees. While the apps are not malicious, they often request permission to access sensitive data on the phone, such as the address book and calendar.
Use of insecure public Wi-Fi networks also makes the list of greatest threats. Such networks can leave users vulnerable to man-in-the-middle attacks, a kind of digital eavesdropping in which the perpetrator can intercept messages.
Clearly, most security threats on smartphones can be handled with good mobile device management software that can wipe a phone clean of data when lost or stolen and can limit downloads to pre-approved apps.
Malware is not going away, and may become a much greater threat in time. However, for the time being, the focus should be on the more serious threats that are here today.
Antone Gonsalves is a freelance journalist who has covered the technology industry for magazines and websites since moving to San Francisco at the height of the Internet boom in the late 1990s.