Mobile Malware is to Smartphones as Bird Flu is to People. Discuss.
Posted on August 9, 2007
Filed Under China Internet, Malware, Mobile, Security |
Since bird flu first infected humans in Hong Kong in 1997, the world has nervously waited to see what will come of it. The hope is that it will never reach the scale of the great influenza pandemic of 1918-19 that killed 20 to 40 million people.
The nomenclature of virology has long been adopted by the computer security community when discussing the effects of malicious software (malware). Much as the world is waiting to see what will happen with bird flu, the mobile phone community is waiting to see what will happen with smartphones and malware.
China is the world’s biggest mobile phone market. According to Analysys in Q4 of 2006 the were 443 million mobile phone users in China. An increasing proportion of those mobile phone users have smartphones.
Smartphones are essentially communications-enabled handset computers. They typically can access email and provide internet access, applications, and games.
From what I was able to find on the internet, smartphones are booming in China. Research firms such as MarketAvenue claims that 30% of China’s mobile users now have smartphones, CCID (mentioned here) says 25 million handsets were sold 2005-2006, and In-Stat reports 15 million handsets (quoted here) over the same period.
The China Internet Network Information Center’s (CNNIC, sponsored by China’s Ministry of Information Industry) report states that 17 million users (12.4% of China’s internet users) access the internet via a mobile phone (most likely a smartphone) in 2006.
There’s a fairly wide discrepancy. MarketAvenue’s 30% of mobile users with smartphones would be about 133 million people based on Analysys’ 443 million mobile users. There may be differences in definition, population sampling, vendor reporting, etc. that could explain away some of the gap, but it’s too big just to ignore.
The MarketAvenue number may just be another lost in translation moment (”…over 30% of the 400 million users have been reached for handset users in China.), but 133 million seems to be out of line with the other reports.
I don’t know enough about the various reports’ methodology, so I don’t want to dismiss them. I will say that market research reports on China can vary widely in their results. Sometimes I really doubt anyone (market research firms, the government, academics, barflies, bloggers like me, anybody) has a grasp of what’s happening in China.
If the MarketAvenue numbers are thrown out, I think a reasonably conservative number would be around 20 million. That’s a sizable population ripe for malware (trojan, worm, virus) infection.
But there seems to be little information available about mobile malware occurrences in China. CNNIC’s report has the only statistic I could find that seemed credible.
The report relies on telephone surveys (I assume, the description of the methodology isn’t very clear). The interesting question they asked for mobile phone internet users was:
12. Problems that usually encounter (result of multiple selections)
The seventh (out of eight) response was:
Mobile phone virus 6.5%
Taking the completely unscientific number of 20 million and assuming that the CNNIC’s numbers can be applied to it, it would mean that 1.3 million smartphone users in China have been affected by mobile malware. That’s less than one percent of mobile users in China.
An even smaller number of people have died from bird flu. But as the World Health Organization puts it in their list of things to know about bird flu:
The world may be on the brink of another pandemic.
This echoes what virus researchers say about mobile malware. Alisa Shevchenko of Kaspersky Labs writes:
Currently, there is no threat of a global epidemic caused by mobile malware. However, the threat may become real a couple of years down the line
My only quibble I have with Ms. Shevchenko is not using the word pandemic.
In researching this post I continually went back to Kaspersky Labs, they have the best reasoned analysis that I could find. An analyst of theirs, Alexander Gotsev, identifies 31 families of mobile malware, most of them for Symbian.
The overwhelming target for mobile malware is the Symbian operating system. Nokia is the world leader in smartphones and they exclusively use Symbian. As befitting a mobile, handheld computer, smartphones’ typical vulnerabilities are operating system-related. Symbian claims (David Wood, VP Research here) that this is not really a problem, users would have to approve the installation of malware and have to go through a series of prompts before anything is installed.
Getting people to click on an attachment in an email or a link is one of the oldest tricks in the book for virus propagation. Smart malware propagates itself by sending out a message to a user’s contacts with a brief message. It works all the time - why wouldn’t the same thing happen with a smartphone?
The complacency doesn’t stop there. I went to Symbian’s site to see what they have to say about security. Here it is:
Keeping mobile phones safe and secure is increasingly important for everyone involved in using or making a mobile phone. Symbian takes its responsibilities on security very seriously and works to ensure that Symbian OS continues to be the most secure operating system available to mobile phone makers.
Uh-oh, don’t like the sound of that
Symbian OS is only one of the software components that mobile phone makers use to build mobile phones. For this reason, Symbian is unable to respond to security issues that individual users may have with phones that use Symbian OS. Should you experience any sort of problem with your phone you should contact your handset manufacturer or network operator/carrier to receive appropriate support and advice for your specific handset.
So it’s not their problem. The links they provide are just to a couple of anti-virus vendors. Nothing about manufacturers or vendors. I checked China Mobile, nothing there either (I can’t read Chinese, I used google translator so I may have missed something).
Symbian is by no means the only target, if anything smartphones running Microsoft’s Windows Mobile are even more vulnerable. Malware writers are much more familiar with the Windows architecture. Airscanner, a mobile anti malware company, has a long and devastating look at it here.
The other mobile operating system, Linux in all its flavors, has yet to see any large-scale mobile malware. This is a sliver of good news for China - it’s the world-leader in the adoption of Linux as an operating system for smartphones.
So with mobile malware, as with bird flu, there’s a threat of a pandemic on the horizon. No one really knows if it will happen. Maybe bird flu and mobile malware will be recurring epidemics, maybe they’ll just be a threat that passes.
I can’t speak to bird flu, but I can speak to mobile malware. It’s going to happen and it’s going to become as commonplace as other forms of computer malware. Why? The more important smartphones become, the more inviting a target they will be. Even the naysayers are getting on board. The Register notes that Sophos, another anti malware company, has reversed itself and is now moving into the mobile space.
And in China? What’s happening in the world’s largest mobile market? Not only is smartphone adoption expanding dramatically, so is mobile malware. As Kaspersky Labs’ Mr. Gotsev says when discussing the national origin of mobile malware:
Going on what we’ve seen, at the moment China is leading this rather depressing race…
Comments
2 Responses to “Mobile Malware is to Smartphones as Bird Flu is to People. Discuss.”
Leave a Reply
RSS
This is exactly what I expected to find out after reading the title . Thanks for informative article
[...] smartphones that are able to access the internet as a client as a computer would. I’ve tried before to sort out a reasonable number for smartphone users in China, with little success. If the service [...]