Computer viruses are big news. Over the past decade, malware like the ILOVEYOU virus and Stuxnet worm grabbed headlines worldwide, and PC owners are constantly hammered with reminders about antivirus software. But what about smartphones? They’re mini computers, after all, and they communicate over more networks than most PCs. Why hasn’t there been a major cellphone virus yet?
Cellphone viruses certainly exist. More than 10,000 pieces of mobile malware exist today, according to Troy Vennon, manager of the Global Threat Center at Juniper Networks. Of those, about 600 are actual viruses that will run on smartphones today. So why is it we never hear about them? There are three main reasons.
1. Too Many Mobile OSes
The first one is simple: economics. There are several mobile OSes, and no single one dominates the industry the way Windows computers constitute the bulk of PCs. Consequently, the impetus for a malware creator to design a virus that infects cellphones is fairly slim.
“The myriad various architectures and platforms make it difficult for a malware author to target a big number of devices,” says Ondrej Vlcek, chief technology officer of Avast. “It’s just not worth the hassle to create a virus that will only target a platform with [a small] market share.”
David Goldschlag, VP of Mobile for McAfee, agrees. “People chase the money. [Malware] either targets large platforms or very specialized targets. Smartphones kind of live in the middle. They aren’t a lot of them relative to PCs, and they’re not managing critical infrastructure.”
While there isn’t a lot of incentive to create cellphone malware today, given the increasing popularity — and sophistication — of smartphones, that’s certainly changing. There are, however, serious technical barriers to creating an effective cellphone virus.
2. Cellphones Don’t Trust Anyone
A cellphone typically has many more ways of communicating than your average PC. Besides the basic network connection, virtually all phones these days have Bluetooth, Wi-Fi and some kind of 3G connectivity. And that’s just the start: there’s now 4G, and many world phones work on both CDMA and GSM technologies. With that many openings, you’d think cellphones would be getting viruses constantly.
But it turns out that doesn’t happen. That’s because today’s smartphone operating systems work in a few fundamentally different ways than original computer OSes they’re based on. Developers have had decades of experience with malware on PCs, and they designed phones to be more secure from the get-go.
“A cellphone virus doesn’t have the same ability to propagate in the way a Windows virus does,” says Vennon. “For the most part, smartphones aren’t interconnected in the same way, where one device can reach out and have an inherent shared trust like two Windows machines do, and be able to pass information back and forth without the user really knowing.
“These platforms — BlackBerry, iPhone, Android, Windws Moble — are based off of kernels of operating systems from the PC world, but the developers had the foresight to not bring the same weaknesses from the desktop. When they developed these platforms, they already knew that they needed to completely limit access from an application to the actual system. That’s something OS developers years ago wish they could go back and do.”
While those inherent protections are a huge relief, what about malicious apps that are disguised as something benign? While it’s possible that a downloaded app could be doing something on a phone that the user doesn’t know about, with the rise of centralized app stores, the risk of that happening is greatly minimized.
3. App Store Security
Downloading software for your computer, which don’t the same kind of app stores that cellphones do (yet), can be a gamble. If you’re in a hurry to find something for a particular task (say, reformatting a video file), typically you’ll search for that task, then download the cheapest and most convenient application. User reviews can guide you, but often you don’t really know what you’re getting until it’s up and running on your machine. If you don’t do your homework, you could have just downloaded malware. Sucker.
With phones, however, app stores do some of that homework for you. It’s in the interest of the OS creator to ensure its apps are safe, so if you stick to downloading only from app markets, the risk is reduced. But not all app stores are created equal, say the experts.
“Both Apple and Android isolate one application’s data fairly well from another appliation’s data,” says Goldschlag. “There is a difference, however: the Apple App Store is very well vetted. The Android Market does much less vetting. That increases the risk of malware. In both cases, somebody can respond and take an app out of the store, but he more pro-active you are, the less malware there will be in the environment.”
The Inevitable Future
While cellphones are inherently less susceptible to viruses than personal computers, that will change in the coming years as the mobile market continues to grow, and cellphones get more complicated. All the companies I talked to agree: cellphone malware will become a real problem (and a bigger business for them, natch) in the coming years.
Should you think about antivirus software for your phone? That’s probably overkill at this point, especially if you follow two simple rules: 1) Only download apps from places you trust, and 2) Don’t jailbreak your phone unless you know what you’re doing. As long as mobile phone users practice that simple common sense, cellphone viruses will likely stay out of the headlines for a long time