In last month's diary I asked two main questions.
How would I really know if there was malware on my smart phone?
How do we really know that mobile malware is not widespread right now?
So a poll was created asking for your experiences.
One reader commented asking what the definition of malware was. Given that most of the readers of this diary are sufficiently knowledgeable about security to dismiss tracking cookies and other such things, I have to believe that only true malware is being reported.
I hope you reported the cookies.
The results and some preliminary analysis follows:
DISCLAIMER: This is not a scientific poll, I am not a statistician and this should in no way be construed as an effort to spread FUD.
Of 540 respondents to date (the six respondents listing other have been removed as their methods and results were not described)
83 of 540 (15.3%) of respondents were scanning for malware.
15 of 83 (18.1%) who were looking for malware on their mobile device found it.
457 of 540 (84.6%) were not scanning their devices.
Now, 540 responses is not a particularly large sample, but I have been monitoring the statistics as responses are entered and the percentage of people reporting they found malware consistently ranged from 15-20% so 18.1% seems to be a reasonable number. Likewise the percentage of people who were not scanning ranged consistently from 82-86%
Based on those numbers, 83 of the 457 people who responded who were not looking for malware would be infected. Ouch.
How many mobile devices are out there right now?
How many in your office building? How many in your city, your state, your country?
How many in the world?
Let's say these numbers are double what would be seen in the population at large.
Even so, if 9% of all the smart phones were infected with malware (especially if we didn't know it), that would be cause (IMHO) for alarm.
I couldn't find any good numbers on existing smart phones but according to this ZD Net Article Credit Suisse projected that total smartphone sales for 2009 will end up at around 176 million units. In the years ahead, Credit Suisse expects the smartphone market to balloon to around 1.5 billion units. By comparison, worldwide unit sales of all mobile phones in 2009 will be about 1.2 billion and worldwide unit sales of all PCs in 2009 will be about 300 million.
Let's say the Credit Suisse was way, way off and we'll say there are only 100 Million smart phones in the world today.
And we'll say that even the 9% above was way off and it's half that, which would be only 25% of what the poll you responded to said.
4.5 Million infected devices.
1.5 Billion Units? I don't even want to think about it.
Do the math. Plug in your own numbers. Check your smart phones.
So my delayed, and corrected answer to the gentlemen at SANSFire who asked Will this year be the year that malware on mobile devices becomes a problem? is:
I think it is. We just don't know it.
Will you be following up with a site you can point your mobile app to that can scan it online?
I know my handy phone has started using it's entire battery life in under 12 hours - ever since I downloaded a ring tone. So I'm really worried.
By the way, how do you look and see what's running on a mobile app? I don't see any cmdline prompt.
Any recommendations for mobile AV?
I don't know of any site that you can point your mobile device to and have it be scanned online. and I would think that data charges for that would be prohibitive unless you had a truly unlimited data plan.
As for recommendations, it's no secret I'm not a fan of signature based AV. However, this is a case where something is better than nothing.
A defense in depth approach would be to use a different vendor on your smart phone than you use for your PC AV and then if possible, scan your device either on insertion to your PC or manually.
I'm not sure what OS is on your device, but if it's Windows Mobile, task manager is there.
Christopher Carboni - Handler On Duty
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.