Separating Fact From Hype On Mobile Malware 46
wiredmikey writes with this quote from an article about determining whether the recent doom-and-gloom reports about malware on mobile devices are justified:
"As twilight approaches for 2011, security vendors have set their gaze on the rise of Android malware during the year and what is ahead. Last week, Juniper Networks entered the fray, declaring the number of malware samples it observed targeting devices running Google Android had shot up nearly 500 percent since July. Today, McAfee released its threats report for the third quarter of the year, which found that the amount of malware targeting Android devices jumped 37 percent since the second quarter. While there is no doubt the amount of malicious programs with Windows in their bull's eye dwarfs the amount of threats to mobile devices, the focus on Android malware have left some wondering how to separate fact from hype."
FUD? (Score:5, Insightful)
Re:FUD? (Score:5, Insightful)
Amount is irrelevant (Score:3, Insightful)
It really does not matter whether there is a lot of malware. There always is and will be malware that incompetent users have to do stupid things to install. There always will be a lot of incompetent users. What matters is the level of sophistication of the malware. As this is generally not mentioned, my take is that basically these companies want to sell you something and select the numbers that support the illusion that you need what they sell. Then, if you are an incompetent user, you may actually need what they sell.
On the other hand, quality levels of AV software is really, really bad these days. I recently evaluated several scanners, and ran into things like automatic deletion of suspect files (a borderline criminal approach), deletion without the possibility to object, massive negative impact on disk performance, etc. As I had exactly one piece of spyware in the last 10 years and zero viruses, I am now back to running without AV software, except for MS security essentials with real-time stuff switched off.
Most security *is* theater (Score:5, Insightful)
I say this as an Infosec professional. If you remove all the hype/FUD and look at actual exploit/breach rates, the entire industry would change and shrink drastically. But they don't. So we have what we have - lots of snake oil and irrelevant/useless tools pushed to solve imaginary problems. Honestly, I am ashamed of myself but the money's too good :-)
Re:500%? Man, that's nothing... (Score:1, Insightful)
Who needs malware in the App Store when browsing to the right website can hack your phone?
Re:Allow users to set permissions? (Score:4, Insightful)
it's really hard to fault users for wanting that kind of control when "permission creep" is growing wildly out of control.
This.
Permission creep is the real problem, not malware. Actual malware (viruses, worms, spambots et al) are not prolific enough to cause real concern and I dont see them becoming big enough. It's the subtle data miners, a wallpaper or "free" game that requests "read/write contacts" and "full access to the internet" that are the real issue for end users. This is also not Android specific, IOS is just as vulnerable, even more so as Apple has pretty much given them permission to do so and do not check to see if programs do this. It's pretty much reached the point where personal data is worth more then most botnets.
As alostpacket said, we cant really fault the users for this, controls need to be more fine grained and personal data needs to be better firewalled.
Nice guide BTW.