Trey Wafer, McAfee senior product manager, talks about the mobile malware threat.
By Tim Kridel
If the term “Cabir” rings a bell, it means you’ve been in mobile app development since at least 2004. That’s when Cabir, considered the first known mobile virus, showed up as a proof-of-concept effort.
Since then, mobile devices have become more sophisticated in terms of processing power and connectivity -- which in turn creates more opportunities for malware writers. Just as important, the plethora of real-time operating systems (RTOS) has given way to a handful of smartphone OSs, which make it easier to write once, hack many.
We recently spoke with Trey Wafer, McAfee senior product manager, about how mobile operators, enterprises and security companies are responding to the mobile malware threat. [Disclosure: Intel, which owns McAfee, is the sponsor of this content.]
A lot of carriers, such as Sprint, offer free anti-malware software to their customers. Do you know the percentage of smartphone owners who either take advantage of that or buy anti-malware software on their own?
Trey Wafer: In May 2012, O+K Research estimated that 40 percent of devices are devoid of any anti-virus on their smartphones. Additionally, [about] half of smartphone owners use passwords, the most basic form of mobile security.
There have been a few examples of malware jumping from a smartphone to a PC. Do you expect that to become more common as the lines blur between mobile and PC OSs, such as with Windows 8?
T.W.: McAfee sees the opposite, with certain types of malware jumping from PCs to smartphones. The most popular of these is SMiShing, which tricks users into revealing personal information and passwords. Cybercriminals are business people and they will go where the money goes; as smartphones increase in numbers, we anticipate more to follow. Even the FBI has advised that Android is prone to malware.
How can security vendors ensure that their anti-malware solutions provide constant, adequate protection but without putting a drag on device performance?
T.W.: The anti-malware solution should be architected in a way that scans of mobile devices can be triggered on a regularly scheduled basis (e.g., every Friday at 3 p.m.), on an event-driven basis (e.g., every time an app is downloaded) and an ad-hoc basis (e.g., user or administrator wants to check). More importantly, the anti-malware solution needs ties to real-time intelligence that will keep it up to date. McAfee’s Virus Scan Mobile solution delivers that kind of architecture, plus ties to our Global Threat Infrastructure built in a way that battery impact and scan times are minimized.
McAfee is very sensitive to the performance impact of providing anti-malware screening services. It's one of the reasons we've been developing technologies that optimize protection while minimizing impact on system performance.
This new protection technology suite uses a combination of signature, behavioral, context, reputation and adaptive scanning techniques to provide users with the best protection while minimizing system impact. This new suite, known as "Anti-Malware Core" or AM Core, will ship in the upcoming release of our consumer endpoint protection product, with subsequent availability in McAfee's enterprise products.
The mobile industry has spent more than a decade trying to facilitate cashless payments, and between those efforts and the arrival of NFC in mainstream devices, this brass ring finally appears within reach. Is the industry doing enough to ensure that the reality or even perception of malware in enabling identity theft won't kill that opportunity?
T.W.: Ensuring the reality of a solution is ultimately driven by the companies who own the operating systems. Until mobile OSs are considered to be secure, mobile security vendors are limited in their ability to deliver a full solution.
In the meantime, it’s imperative to recognize the difference between those who are making products that contribute to that reality versus those who claim to be doing so. McAfee Labs is constantly testing applications and researching emerging threats. Those efforts automatically feed the anti-malware products that contribute to secure mobile transactions.
What should developers do to minimize the chance that their app will facilitate malware?
T.W.: The biggest thing developers can do to minimize the chance that their app will facilitate malware is to adopt a “security mindset.” They don’t need to become security experts nor should they let security drag down their ability to create effective, productive applications.
They do, however, need to think about security in the initial design of their application rather than as an afterthought. That mindset with a few best practices -- using encryption in the transaction or exchange of information, limiting permissions, being judicious about what kind of data can be accessed, isolating their applications from access by other applications except where absolutely necessary -- will go a long way in minimizing the chance that their app will facilitate malware.
How aware are businesses of mobile malware, as opposed to malware on other platforms? And how does that awareness affect the bring-your-own-device (BYOD) challenge for enterprise?
T.W.: Businesses understand the idea of malware in an endpoint (PC and laptop) environment because they have had to deal with it for many years. They understand basic premises in the mobile world -- iOS is more secure than Android, for example -- but they are often unaware of the specifics types and levels of threat.
What this generally translates into for the BYOD challenge are the implementation of broad policies and programs. For example, BYOD is not allowed, but the company will standardize on and issue a specific model/OS product for relevant users.
Approximately how many businesses are proactively addressing mobile malware?
T.W.: This is difficult to estimate. General trends indicate that many businesses who are trying to address the rise of mobile products are standardizing on iOS because it is inherently more safe. They understand that encryption is built in at the chip level and that data at rest on the device is encrypted as well.
They also know that there have been a lot less headlines about iOS threats, thefts and vulnerabilities. In other words, “proactive” in the mobile world means piggybacking on the “best available” security (not to be confused with “best” or “adequate”).
Tim Kridel has been covering all things tech and telecom since 1998 for a variety of publications and analyst firms. Based in Columbia, Mo., he still enjoys the childhood hobby that led to a career writing about technology: ham radio. He is a frequent contributor to Digital Innovation Gazette.