Fear mobile malware

1 September 2009 | Markus Jakobsson

Online criminals have many tools for committing fraud and theft, including phishing and, increasingly, malware.

Malware (e.g., viruses) can steal your passwords from keyboards or GUIs, scour your computer for sensitive account numbers, send spam to your friends, host criminal material without your knowledge, and even wait for you to log in to an online bank account and then add another transaction just as you’re about to log out.

How bad is the problem?

Currently, industry sources estimate that 0.25% of infected computers are directly involved in financial fraud. But with malware penetrating 10-15% [pdf] of ALL computers connected to the Internet, converting these computers into tools for committing financial fraud (which can easily happen) would result in an instant fifty-fold increase of fraud. To put this in perspective, most businesses would fail  – or fold their Internet operations – long before this happened.

Furthermore, this potential increase in malware-based fraud naively assumes stable malware infection rates. Yet malware threats have been skyrocketing.

Misaligned incentives aggravate the problem. In the U.S., financial service providers commonly bear financial responsibility for fraud, though most available malware countermeasures are designed for client-side use. In other words: the people who stand to lose the most money can’t do much to protect themselves.

Mobile malware: our Achilles’ heel

A more acute problem is mobile malware, which will pose a serious threat to mobile communications as smartphone use explodes.

The inherent limitations of smartphones – power, memory, bandwidth – make most anti-virus tools unsuitable once the rate of malware instances reaches a certain threshold, because smartphones can’t handle the updates that PCs currently have to.

For example: with around forty thousand new instances of PC malware a day, there are nearly 100 daily updates of anti-virus filter rules that laptops or desktops currently handle, but that would be difficult for a smartphone to manage. Of course, it’s not only about receiving updates. The device also has to screen for infection, which is a very demanding and resource-draining task for mobile phones.

So what happens when malware authors start developing viruses for smartphones at the rate they currently do for personal computers? We may not have to wait long to find out, because mobile platforms are rich with data and are convenient payment platforms ripe for defrauding.

Beyond incremental solutions

We must find better solutions before it’s too late. We’re in trouble as soon as soon as malware authors start giving phones serious attention. And we can’t use current strategies to combat the problem, because the mobile context is so much more vulnerable and resource-constrained.

This is not about tweaking what we already have.

I believe we need to think of combatting malware in a completely different way than we’re used to. We need tools that use less machine resources. We also need ways to identify the malicious acts that already took place, because the threats spread rapidly, undetected, and often before defense measures are implemented – retroactive or post-mortem detection is necessary because with the current pace of the problem, we simply cannot hope to catch things in time. We need to centralize detection to avoid burdening cell phones with this task.

I think this can all be done, and share some ideas for addressing the problem…

 

---

 Editor: Sonal Chokshi

Comments (2)