01/30/2012

Will 2012 Be the Year of the Cellphone Virus?

I know I'm not the first blogger in the antivirus arena to go on record as saying that I think cell phones and tablet PCs are ripe for the pickin' by the virus and malware writers.

What's clear though is that more folks like us (i.e. people who are *not* employees of the top antivirus manufacturers) are beginning to start beating this drum, too.

PCWorld's Dan Tynan wrote a piece back in November 2011 called, Mobile Malware Epidemic Looms. Now there's a piece in the NYTimes. Build Up Your Phone’s Defenses Against Hackers.

No disrespect to mainstream media, especially the NY Times, which I love, but c'mon... by the time this kind of thing hits The Times, it's arguably already old news. Certainly, it's well beyond the point of being "theory."

The opening sentence of Dan's piece in PCWorld says it all,
I know it’s a tad early for new year predictions but I’m going to beat the rush and make mine now: 2012 will be the year of mobile malware.
At the risk of offending the sensibilities of some of my readers who think they're immune, let me ask a few questions about what you do with your phone.

(N.B. For brevity, I'm lumping smart phones and tablet PCs into one category "phones".) With your phone do you...
  1. Use bluetooth?
  2. Browse the web?
  3. Send or receive email?
  4. Send or receive text messages?
  5. Charge via a USB connection?
  6. Charge at public charging kiosks?
  7. Use QR / "Scan Me" codes?1
If you answered "Yes" to any (and I mean any) of these questions, congratulations, you're at risk.

Now, shift gears for a second and think about not just the ubiquity of the cell phone but the utility. Not only are cell phones everywhere, they're *really* useful, which makes them all the more ubiquitous, which makes them even more useful, and so on.

And, now for the deathblow in the argument against cell phone antivirus software.

Phones are computers. Period.

If there's a microprocessor in it, it's a computer. And, I don't care how much time, money, energy, blood, sweat, and tears a manufacturer has put into their phone. It only takes one oh-so-subtle mistake by a well-intentioned programmer to make the code vulnerable to traditional malware attacks.

Consider this. Just to create the homepage of our site (and just the homepage) takes over three thousand lines.2 And that doesn't even count the code your web browser had to have to understand how to display our site properly for you.

My point: even if you have no clue how many lines of programming it takes to make a cell phone, rest assured it takes millions. Many, many millions. We ourselves are always finding and fixing little errors and typos throughout our site. If we have a hard time finding them in our own back yard, imagine how hard it is for a programmer to think about what problems they're going to encounter when millions of customers start using phones in millions of different ways.

Every mistake, no matter how subtle is a possible virus entry point. Maybe it'll never be discovered. Maybe it will. But in millions of lines of code, there are lots of opportunities for mistakes.

Next is the issue of "social engineering," where you're just out-and-out tricked into running malicious code. Maybe you click, "Yes" accidentally. Maybe you didn't understand what was going on and clicked, "Yes." Regardless, you clicked, "Yes" and installed something evil onto your phone.

What's it going to do?

Who knows? For starters it is a PC. The problem is, it's a whole lot more, too. It's a phone. It's a camera. It's an MP3 player.

Common things (so far) for cell phone malware are things like secretly calling 900 numbers, listening for credit card numbers, stealing contact information, logging keystrokes at your bank, brokerage, and credit card accounts... and the list goes on.

No matter how you look at it, cellphone viruses are here and cellphone antivirus software is a must. Android. iPhone. Blackberry. Windows. Palm. It doesn't matter what platform your phone (or tablet PC) runs, rest assured, it's vulnerable to viruses. Today.

How convinced are we? We're putting our own R & D money on the line: fitting right in line with our regular PC antivirus reviews, we're working on our own cellphone antivirus review site. No launch date just yet, but if what we've already seen in terms of mobile malware is any indication, it had better be soon.
1 QR / "Scan Me" codes are those funny square scan code things that are popping up everywhere offering everything from discount coupons to manufacturer direct purchasing.
2 For some more perspective, we estimate--conservatively--that since 2006 our site has produced well over 1,000,000 lines of code. And that's just the site itself.