A few months back, a friend of mine gathered a bunch of his buddies for drinks at a local bar. The last of these friends had just gotten an iPhone and the lot of them grabbed their phones and clinked them together in the geekiest of geeky toasting gestures.
Congratulations, you've joined the Collective! Once I'd gotten over the mortification that I'd just observed my friends doing this in public, it got me thinking. Have iPhones and Androids finally reached the critical point where they've taken enough of the main-stream market and achieved sufficient power, that malware authors will finally take them seriously in their development efforts?
Later, when I was at this year's Defcon, the most popular tracks seemed to be those focusing on exploiting mobile phone vulnerabilities. Or at least that's the impression I got, jammed in a hallway with thousands of other people trying to get a chance to cram into the same small conference room.
It's hard to say that anything which is pwned at Defcon or Blackhat is truly ready for malware-prime time as there is such cachet in hacking the newest/coolest toy over the old standbys. So I reserved judgment. It was really during the next week after the conference that it began to look ugly for these popular phones. Apple released a security update for iOS to patch a vulnerability brought to light by JailBreakMe and the first SMS Trojan was found in the wild, which caused Android users to automatically send messages to premium pay-per-text services. That last one in particular shows an interest in monetized malware.
Now it's speculated that the next iPhone will contain Near Field Communication (NFC) technology which will enable it to be used as a mobile wallet. Outside the US, this technology has already been in use for quite some time with little issue. Will iPhone bring NFC to a wide enough audience that it will be of interest for financial malware? Will it cause enough demand that more popular new phones will have to include the technology as well?
We still have not had a ‘Melissa-level' mobile malware event, and it's conceivable that it will remain a fringe trend even with all this enticing qualities. I doubt that the average home user will be clamoring for security software on their phones for quite a while. And there certainly won't be the same sense that one has with Windows malware that one is as reckless without security software as a motorcyclist riding sans helmet. I do expect that there will soon be enough attacks on corporate users that security conscious companies will need to specifically address their place in and ability to access corporate network resources. I'm beginning to hear grumblings of this trend already starting to occur.
In the meanwhile, we can take our security where we can get it. If you're a phone-owner, the advice is nothing new: Don't enable Bluetooth till you need it, install those security patches from the vendor's site, and don't download unapproved apps. If you're a network admin, now's a good time to consider a policy for these devices within your environment.