The looming mobile malware threat of the past decade has yet to materialize. The reason for its lack of fruition, according to scientists, is due to geography and the lack of a dominant market shareholder. However well done the math, the scientific study is flawed nonetheless. “Understanding the Spreading Patterns of Mobile Phone Viruses” a new paper by 4 scientists fails take into account modern malware trends and operational knowledge of security vendors like those of antivirus companies.
Mitigation and countermeasures to risk is a common parlay for business decisions. In this study, the scientists declare that antivirus vendors will have ample time to deliver antivirus protections due to the slow speed of Bluetooth viruses. Unfortunately, the paper fails to take into account the business operations of antivirus vendors. AV vendors also perform their own risk analysis in order to determine priority for signature writers. Slower moving viruses or any virus with less perceived risk will go second to high-risk threats. In addition, the way vendors become aware of threats are typically in two methods – customer reports and Internet monitoring systems. To best of my knowledge, AV vendors aren’t walking the streets in major metro areas with smartphone in hand scooping up Bluetooth traffic in hopes of finding a virus. More than likely, by the time an AV vendor got wind of a Bluetooth virus, it will already have been spreading for days or perhaps weeks.
Related story: Mobile viruses hampered by lack of dominant mobile OS
The work declares that market share, m, can be declared as a free parameter simply because malware only works on the operating system for which it was designed.
“A cell phone virus can infect only the phones with the operating system (OS) it was designed for (2, 3), making the market share m of an OS an important free parameter in our study.”
The accuracy of this statement is correct, but fails to take into account current trends of malware. A virus is typically written for a specific architecture and operating system. It cannot magically morph into a self-aware entity, which can now infect every operating system. By somehow implying such silliness as a method to declare m as a free floating and utmost important variable is itself flawed. Nonetheless, the more important trend failed to be recognized is that malware more often targets applications and not operating systems. The truth of the matter is that most breaches in the last 5 years attack applications, not operating systems. Recent to 2009 are the Adobe vulnerabilities that affected Windows, Mac and Unix systems. Browsers, the ubiquitous tool of the computer today, are cross platform affected. Firefox, for example, commonly requires updates to both Mac and Windows. Apple, which produces personal computer software and one of the most popular smart phones, also commonly finds itself updating software for vulnerabilities on Windows, Mac and the iPhone. So much of the study relies on market share to be a variable; unfortunately, market share is such a small piece of reality.
The paper does acknowledge that MMS based viruses can spread much quicker than Bluetooth, but again places a strong foundation on operating specific threats. No creativity is imposed to suppose that a crafty virus writer could implant payloads for multiple operating systems. Or why couldn’t the virus be written in architecture neutral language such as Java that compiles to byte code? Nearly every smartphone on the market today supports Java. If the paper is found to be correct in this regards, then simply writing a Java based virus will turn the math completely upside down.
To further argue against this paper, we cannot overlook the fact that these devices are now equipped with Wifi, can hold up a VPN back to the corporate office and have wired USB connections. Any slow spreading downplay of the Bluetooth connection are immediately surpassed by the distance and speed of wifi. The potential adjacency spread of malware given the devices numerous connection types easily outpaces and diminishes any compensating declinations due to single operating system virus supposition.
We have to thank these scientists for their hard work and excellent study. However, I must disagree with their conclusions that market share and geography alone are reasons enough why we haven’t yet seen the major mobile virus outbreak soon to come.