John Pescatore

To combat a lot of mobile malware hype at the time, back in 2005, John Girard of Gartner and I put out a Gartner Research Note “Fast Spreading Virus or Worm Won’t Hit Mobile Devices Before Year-End 2007.” In the note we laid out three requirements that were necessary and we thought those three would be in place by YE07. In 2007 I went through the status at a presentation at the RSA conference, here’s a quick update:

• Smartphones (phones capable of running user installed applications) needed to pass 30% of the installed base – in most geographies, this condition has been satisfied.
• Ubiquitous use of wireless messaging to exchange executables – this one really has not happened, but since there has been such rapid growth of text messaging and since it is pretty common to embed links in text messages, let’s say this one has been satisfied. The attack spreading vectors these days tend to be by directing masses towards compromised websites, vs. directly sending the malware.
• Operating system convergence – the mobile OS world has actually gotten more diverse since 2005. Back then Symbian had the biggest share, but Gartner mobile analysts were projecting Windows CE (now Windows Mobile) would capture more than 50% of smartphone market share. Windows Mobile share has been dropping recently – back in 2005 the iPhone wasn’t really on the horizon, let alone Google Android. 

The BBC had a piece on titled “Giant Leap Looms for Mobile Bugs” (no, not killer bees) which had some researchers revisiting all this and coming to some erroneous conclusions. Of course, the sun going out also “looms” – that’s why I always try to eschew “only time will tell” type predictions.

Others have posited that the rise of the iPhone App Store will cause mobile malware to break out, but I think the App Store closed garden approach goes very much in the opposite direction – it forces applications to be run through a central place and certified – user’s can’t easily send each other executables. While Apple has already had to withdraw some apps, and needs to make sure they have security checking as part of the application certification criteria, the growth of a closed platform with controlled applications means that mobile malware is much less likely to be a major fast spreading problem.

That does not mean there won’t be malicious  mobile software, but I think the major attack aperture will be mobile browsers as the attack point against mobile users via social engineering vs. malware. Back in 2005 Gartner said the only effective way to deal with mobile malware would be in the mobile network, not trying to put client side software on every mobile device. Same is true for making sure mobile data services are kept secure.