updated 06:17 am EST, Thu March 7, 2013
BlackBerry, iOS, Windows Mobile have fewest and most innocuous threats
(Updated with Phil Schiller Twitter post) For years, Mac owners have gently rebuffed the myth that the Mac is so resistant to viruses because of "security through obscurity." No, they'd say, it's because the OS is better hardened against threats. Now the malware discussion has moved on to mobile, and that case is being debated anew: the most popular and one of the fastest-fading current cellphone OSes are responsible for a whopping 89 percent of all mobile device malware, while three of the most well-known smartphone platforms -- iOS, Blackberry and Windows Mobile -- have the fewest issues.
The conclusion comes from a three-year study of the changing face of malware and other threats against mobile devices, which has seen Windows Mobile improve its standing in security tremendously while Android -- the single most widely-used smartphone platform these days -- rise in both non-profit and for-profit security issues. In addition, the report by F-Secure finds the number of threats climbing from 80 families and variants in 2010 to over 300 now, particularly in profit-motivated attacks such as trojan apps and spyware combining to account for just over 70 percent of the threat types.
Alarmingly, Android now accounts for 79 percent of infected smartphones -- a staggering rise and near-total swap with Symbian, which accounted for over 60 percent of malware in 2010 but is down to 19 percent, while Android grew from 11.25 percent in 2010 to its majority stake at the end of 2012. Symbian was officially discontinued last year but remains on millions of smartphones still in service. Even threats on iOS have risen in recent years, albeit only fractionally -- the report says iOS accounts for 0.7 percent of malware threats in 2012.
Most of the common threats revolve around apps that obtain more information about users and their habits, surfing and purchases than the user has consciously allowed. Apple in particular has been aggressive on this front over the last year after the Path social app was caught uploading users' entire address books without explicit permission. Other "spyware" of this sort has been seen on iOS, but only very rarely and the issue is now largely under control.
The least-compromised systems currently include BlackBerry, which has always placed a priority on security, and Windows Mobile -- which has worked to harden itself to malware issues since 2010 when it accounted for nearly a quarter of security issues. The failure of Windows Mobile 7.5 and 8 to find much footing thus far in the smartphone market may have also aided the significant drop in threats created for the platform, but the Mango (7.5) update did introduce significant security measures.
The biggest issue facing Android in terms of security comes from its inability to update most Android devices to the latest version. Google has undoubtedly made Android more robust in its latest editions, but very few owners can upgrade to it: currently the latest version, Android OS 4.2, is on just 1.6 percent of active Android devices, with 55 percent of active devices running Honeycomb or earlier (most running the OS 2.3 Gingerbread release). Even worse, the threat level is escalating -- in the fourth quarter of 2012, 96 new attacks from mobile malware were on Android devices, accounting for all but four of the total new threats.
No other platform apart from Symbian (which had the remaining four) saw any new malware at all. This was up from 74 total new malwares in Q3, and only 47 total in each of the previous two quarters, indicating a rising trend.
A significant portion of non-Android malware will disappear with the Symbian platform over the course of the next year or so as the platform dies out and users upgrade their feature or smartphones to other platforms, but malware creators appear to have moved on en masse to Android as the platform of choice, with both non-profit and profit-motivated attacks rising significantly higher on the platform. By contrast iOS threats, which have always hovered under the one percent barrier, appear to have all but dried up entirely.
The company says that 66 percent of the malware comes in the form of trojans, or apps that masquerade as another program. Improvements in Google's Play Store and Android 4.2 may help bring that number down over the long haul, it says, but only as older devices are retired in favor of newer ones with later OS versions, and even then only if carriers start to take the malware problem more seriously and allow users more access to security updates. Another avenue that is exploited on the Android platform is the fact that apps are available from a wide variety of sources rather than one curated market -- though Google has struggled to improve threat detection in its own Play store.
Another major point of weakness are misleading "trickware" SMS messages that can fool recipients into signing up for unwanted subscriptions that are difficult to cancel. Because some of the revenue made from these subscriptions goes to the carrier, the SMS providers are in no hurry to fix the problem. F-Secure says that 21 of the 96 new attacks on Android devices came from SMS botnets or "premium" SMS messages, often offering ringtones or MMS texts that users want but do not understand that accepting or responding to the message obligates them to a subscription.
Back in 2006, nearly all mobile malware was not profit-motivated, and dramatically fell to a low of just 12 new threats or variants in 2009. However, that year also saw the first big rise in profit-motivated malware, and since them both profit and non-profit threats have roared back to life, rising to 173 profit-motivated malware attacks and 128 non-profit ones in 2012, likely due at least in part to the rising use of Android devices for commerce transactions. Until Android can address the issues that lead it to be unable to widely distribute security updates and rein in rogue stores, it will remain the primary platform for attacks and malware, with the rest of the smartphone market all but impervious to widespread security issues.
Update: Apple's senior VP for worldwide product marketing has linked the F-Secure study:
Be safe out there: f-secure.com/static/doc/lab...— Philip Schiller (@pschiller) March 7, 2013