Those are good reasons to be somewhat concerned. But there are other drivers of security hysteria that aren't so good. Security companies make their living selling software or services or both, designed to make someone's network or devices more secure. I'm not accusing anyone of acting unethical, but why wouldn't they (especially the marketing and pr guys, as opposed to the engineers) succumb to the temptation to amp up the perceived threat level a bit? The security companies I pay attention to are certainly reputable, but there is an awful lot of hype out there.
That hype wouldn't mean nearly as much if the tech media were a bit more skeptical. Instead, many of us act as megaphones. It's not surprising that journalists would rather write a scary story about looming threats than a more nuanced piece that says things aren't so bad. After all, eyeballs are the coin of the realm these days, and everyone who publishes wants to be noticed. Scary and dramatic equals page views.
Three Reasons Mobile Malware is Rare
So, why isn't the mobile threat nearly as pervasive as we've been led to think? For that answer I turned to Michael Sutton, vice president of research at Zscalar, a security company whose engineers have always provided me with level-headed guidance on threats. Here's what he said via an e-mail:
1. PCs have been dominated by a single, operating system, with Windows controlling 90% plus of desktops/laptops. Mobile devices on the other hand, have a variety of popular operating competing for market share and even within a single operating system, each device may host a unique version of the OS. This variety limits the ability for a single piece of malicious code to target a significant percentage of mobile devices.
2. Mobile architectures tend to be more closed than their PC counterparts, with limited access to documentation and debugging tools, making it more difficult (at least initially) to identify the vulnerabilities necessary for malware to propagate.
3. Apps stores present the most popular, or in some cases, the only avenue for deploying new software on mobile devices. This limits the ability of a worm to propagate by directly installing executable code on a mobile device. It also adds a layer of review that software is subject to before it can be deployed on a device.
Like other security professionals, Sutton believes that mobile threats will emerge, but for the reasons I listed above, they'll be very different from the desktop hacks we've all seen. For example, mobile browsers using Javascript are vulnerable to a number of different types of attacks, including clickjacking (that is, being redirected to another, possibly poisoned site or domain), he says. And users who install apps from sites they don't really know are asking for trouble.
