For decades, Microsoft Windows was the computer platform of choice — not just for the overhwelming majority of computer users, but also for a growing legion of malware creators. As the dominant computing platform, it offered the fattest, most lucrative target, and some of its fundamental architecture decisions made it vulnerable to many kinds of malware.
With the transition to the mobile era, Windows is no longer at the center of the computing universe — for users or for hackers. That role is now occupied by Android. According to Stephen Cobb, a distinguished security researcher for the IT security company ESET, “Android is like early Windows.” It’s now the locus for security attacks and prevention — even if it’s not getting as much attention in this regard as Windows used to.
Flying Under The Radar?
“There’s so much malware on Android, you’d think it would be a huge deal,” Cobb said. And the growth of is “huge,” he added, “both in the number of malware exploits and their increasing sophistication. The rate of growth in Android malware is impressive, and scary.”
At this week’s RSA conference in San Francisco, ESET did a live demo on Android, downloading an infected app that roots the phone and opens it up to whatever the attacker wants to do with it — including dumping out its entire contents in a few seconds over the Internet.
Why aren’t we hearing more about Android’s security problems? “It’s death by 1000 cuts,” Cobb said. Instead of emptying the bank accounts of infected users, the malware is more often used to for premium-rate SMS fraud against mobile carriers, “which isn’t bankrupting anyone immediately. They’re flying under the radar.”
“I don’t think the criminal underground is sophisticated enough that it is holding back,” Cobb said. It’s just that when a mobile platform is the target, “the model is many times a smaller attack — or you can look at it as part of a larger attack.”
(See also Where Has All The Mobile Malware Gone?)
For example, if a criminal wants to insert himself into a small or medium-sized business doing $40,000 bank transfers, he’d run into the fact that many online banking systems use two-factor authentication — i.e., they require a code sent to a client’s mobile device in addition to a password. But a mobile hack can help defeat that.
Your Mobile Platform Does Matter
Just as on computers, which mobile platform you use really does make a difference on security. “The Apple model of a closed shop, from a security standpoint, is a very good thing,” Cobb said. Apple’s OS X and iOS are both pretty secure to start with, and with iOS and the App Store, “Apple is moving that from a physical environment to a software environment.”
Even as Android takes the lead in global sales, it’s been much less successful from a security standpoint. “We sell an anti-virus product for Android,” Cobbnoted. “No one sells anti-virus for iOS.”
What will it take for Android to clean up its act? “Quite frankly, I expect to see it improve when sales start getting impacted,” Cobb said. That obviously hasn’t happened yet on a mass scale, as Android sales continue to outstrip its smartphone competitors.
But Cobb said that “In some circles it is already having an effect… I wouldn’t use an Android phone for my personal stuff.”
Meanwhile, Windows Is Getting Better
Ironically, as Android’s secuirty issues grow, Windows is actually getting better. “Microsoft deserves kudos for making Windows more and more secure,” Cobb said. And with the move to Windows 8, Microsoft is shifting toward a more closed, more secure model, specifically by by not allowing apps unless they are from a legitimate developer.
Plus, Windows’ issues over the years have had the effect of training people to be more careful. “Someone who’s been using Windows for the last 10 years is probably better protected than a Mac person,” Cobb joked. “They’ve had to learn the hard way.”
The problem is in that in an ostensibly protected environment, people can get a false sense of security. They are still vulnerable to “some big hack” that overrides all the existing protections, or to “social engineering” attacks, Cobb noted. That’s why many of the bad guys are changing tactics. “Instead of trying to break into the computer, they’re now trying to break into the person.”
Ultimately, that’s only one reason Cobb thinks that concentrating on mobile malware may be the wrong angle. “What the bad guys really want,” he said, “is the device out of your pocket.” If they can physically get ahold of your device, they can do all sorts of bad things.
Image of Stephen Cobb by Fredric Paul.