Mobile malware overhyped, says security company Damballa

Mobile internet users are 1.3 times more likely to get struck by lightning than infected by mobile malware, research by security firm Damballa finds

Mobile internet users are 1.3 times more likely to get struck by lightning than to be infected by mobile malware, found research by security firm Damballa.

“News headlines indicate mobile malware is exploding, but the threat of infection by mobile malware is still very small,” Charles Lever, senior scientific researcher at Damballa told attendees of RSA Conference 2015 in San Francisco.

He said that, while mobile malware is a real threat, the true extent of mobile infections is still not widely understood.

By providing an extensive network-level analysis across millions of devices, Lever said his team aimed to help the security industry better understand the underlying infrastructure of mobile traffic, and the risks that are likely to come in the future.

Lever (pictured) said that, by understanding these risks, organisations will be better positioned to apply network-based countermeasures to help detect and protect themselves in future.

Damballa monitors nearly 50% of US mobile traffic and used passive DNS data to determine actual malware infection rates rather than just samples found or potential vulnerabilities.

Read more about mobile malware

Mobile domain data

Damballa originally conducted a study in early 2012 to determine the extent of mobile devices contacting malicious mobile domains, monitoring about 33% of US mobile data traffic. The same study was repeated in late 2014, using about 49% of US mobile data traffic.

During the initial test period in 2012, researchers saw an average of 21 million mobile devices a day, compared with an average of 143 million in the 2014 test period. Across the two test periods, they observed 2,762,453 unique hosts contacted by mobile devices.

In the 2012 test, Damballa saw 3,492 out of a total of 23 million mobile devices contacting a domain on the mobile blacklist (MBL), representing just 0.015%.

In 2014 however, only 9,688 out of a total of 151 million mobile devices contacted mobile black list domains, just 0.0064%.

Lever said that, according to the US National Weather Services, the odds of being struck by lightning in a lifetime are 0.01%.

Wired and mobile malware overlap

Another important key finding of the study was that only 1.3% of “mobile” hosts were not in the set of hosts contained by historical non-cellular traffic.

This means there is a significant overlap between wired hosts and mobile hosts, and mobile applications are re-using the same hosting infrastructure as desktop applications. This in turn means that organisations can use the same reputation-based technologies and work done around analysing threats at a network level for mobile apps as they do for desktop computers.

“This research shows that mobile malware in the US is very much like Ebola – harmful, but greatly overexaggerated, and contained to a limited percentage of the population that are engaging in behavior that puts them at risk for infection,” said Lever.

He asked the RSA Conference audience how many had been infected by mobile malware, and only one person raised their hand. No-one in the audience responded when he asked if anyone knew of someone infected my mobile malware.

“Mobile operators and platforms have invested significant resources in preventing malicious applications from being installed by putting in a lot of safeguards. For example, iOS developers must submit an application for approval before their app is available on iTunes,” said Lever.

“And Google has developed Bouncer, an automated system that scans submitted apps for evidence of malware. So, for a majority of the population, by simply staying in authorised app stores for their respective devices, they will drastically reduce the risk of being infected with mobile malware,” said Lever.

The fact that there is similar network behaviour by mobile devices as non-mobile devices means network-based countermeasures could help mitigate mobile threats.

Lever recommends that anyone managing security for enterprise mobile devices should use network tools to identify mobile devices – and if those devices are connecting to known bad infrastructure.

Read more on Hackers and cybercrime prevention