Mobile Antivirus: FUD, Fact and Fiction
Is mobile antivirus just a myth? I would say it is more of a “legend,” where facts have been distorted, or exaggerated to craft a more sensationalistic story.
A true “antivirus” for mobile devices is currently not possible given the SDKs (software development kits) and access provided to developers by most mobile platforms. In the mobile security space there are more than a few companies selling what they like to call “antivirus” applications for smartphones.
The problem is that the term is being used erroneously – sadly I believe it’s no accident.
Virus You Say?
A virus, as it relates to any computing device, is a form of software that can replicate itself by way of documents and executable files in order to infect other devices, either automatically through a network or through a storage device such as a flash drive. The end goal of most viruses is the corruption of data and/or the damaging of the operating system.
In order to detect and mitigate real viruses, a software solution would need to be capable of running as a root process on a system, something that is just not possible on most mobile platforms currently where applications typically run in a sandboxed environment.
Mobile antivirus solutions rely on signature detection at best. Take for example the fact that none of the Android antivirus apps on the market can provide any zero-day protection. The best they can do is to monitor for a package to be installed, then do simple signature-based check.
If there were an actual kernel exploit in the wild, that sandboxed third-party app would not protect the device. In fact nothing short of an update patch from Apple, Google, OEM or mobile operator would suffice. These are exploits and not viruses, a result of bugs in code, not malicious applications. The ACLU has recently filed an FTC complaint regarding carriers failing to warn customers of unpatched security flaws, or provide a way for consumers to update their devices.
Semantics of Fear
Applications claiming to be “antivirus” are merely detecting what has the potential to be malware, something that a developer of an application may have snuck into the software code that is meant to steal data or interact with the device in such a way as to cause it to send premium SMS messages at the victim’s expense. This is more correctly defined as being a Trojan or form of spyware, but given the years of conditioning by security firms “Virus” sounds a lot scarier.
Although these detection capabilities may be marginally useful to the end user, they do not by any stretch of the imagination fit the definition of an “antivirus” or replace common sense – that is to say, being cautious about which applications you download and then carefully reviewing the permissions for each application if you do install it.
Does that “Barney Wallpaper” app you download really need access to your contacts, call history and location?
There have been many suspect applications that have been removed from the various markets and both Google and Apple, and there are other forms of malware like Zeus and SpyEye that have been employed in toolkits aimed at harvesting banking credentials, but for the most part there have been no wide-scale self-replicating viruses targeting the most popular smartphone platforms.
Most mobile malware is deployed using repackaged legitimate apps that are downloaded from outside the mainstream app stores, most phones have a setting that blocks those apps from being installed.
Who Can You Trust?
So why do these companies call their products an “antivirus” when it isn’t? The simple answer is marketing.
Like all good social engineers, marketers know that the general population doesn’t know the true definition of antivirus, nor do they understand that the access a developer has on a mobile device is quite different from that on their laptops.
The term is ingrained in our heads as meaning “protection” from years of security firms pushing the term on us for our computers. To make matters worse, these companies tend to amplify threats in their marketing materials by employing generous amounts of FUD (Fear Uncertainty and Doubt ), often feeding baseless statistics from their own “research” to the press to generate hysteria, all the while hoping reporters don’t check up on their “facts.” Unfortunately, most don’t.
Many of the reports of mobile malware “on the rise” are less dramatic in real-life once you dig into the facts, but they sure make great headlines. These reports once you dig into them are usually coming from companies that have a horse in the race, as they offer a mobile antivirus product.
The false sense of security these “antivirus” applications try to provide is can be irresponsible. Promising to protect us from “viruses” can be more dangerous than the “viruses” themselves, as it may convince someone they don’t need to install a critical security patch from their vendor, as they might believe a third-party application is protecting them from malware, when in fact it is not.
Am I saying that there is no such thing as a virus affecting mobile? No. In fact the risk increases in parallel with the growth of the smartphone market. However, the current applications available in your traditional app store will marginally protect you from real threats.