Software vulnerabilities are the food that keeps viruses, malware and other attacks alive, right? If that’s the case, you’d expect that the software with the most vulnerabilities would also be the software facing, proportionally, the most attacks.
But data on mobile malware released this week by the security firm Symantec throws those assumptions on their head, and raises important questions about the conditions that contribute to malicious activity.
Symantec Corp.’s Internet Security Threat Report (ISTR) for 2012 was released on Tuesday. Buried among the data on targeted attacks and data breaches is some very interesting data on mobile vulnerabilities and malware. Of 108 new malicious programs for mobile devices identified in 2012, Symantec found, 103 – more than 95%)- targeted Android devices. Just one mobile threat targeted Apple’s iOS operating system during the same period.
If you assumed that was because Android was the operating system with the most exploitable vulnerabilities, you would be wrong. In fact, just the opposite is true. It’s Apple’s iOS that was the source of almost all the documented mobile application vulnerabilities among the mobile platforms Symantec monitored, including Android, iOS, Blackberry, Windows Mobile and the like. iOS accounted for 387 of 415 documented vulnerabilities across all mobile platforms – a bit more than 93 percent, found.
How can that be? How does the more secure operating system end up being the target of the lion’s share of attacks and malware? Symantec merely notes that most mobile attacks don’t rely on operating system vulnerabilities, therefore there’s no necessary correlation between attacks and exploitable security vulnerabilities.
That’s true, as far as it goes, but I think the folks in Cupertino are missing a bigger point. I think the answer is that cyber “crime” (broadly defined) is at least as complex as real world crime, and its root causes are equally complex. The Symantec data on mobile vulnerabilities and mobile malware suggests that the “broken windows theory” – an oft-cited theory of the causes of criminal and anti social behavior – may be at work in the mobile device space.
That theory, which was spelled out in a 1982 article in the magazine The Atlantic by social scientists James Q. Wilson and George Kelling. Kelling was later hired by The New York City Transit Authority in 1985, where it inspired future NYTA head William Bratton. He was also hired by the Boston and Los Angeles Police Departments who were interested in his ideas about stemming crime by ratcheting up policing of “quality of life” crimes like graffiti, fare dodging and – famously – unsolicited “window washing.” Crime rates started going down – and have kept going down ever since.
Now Google is making the mistakes of urban police forces and politicians in the 1960s and 70s, when crime rates took off: turning a blind eye to small security incidents, infractions and abuses. That lax security is attracting the attention of those inclined to do ill, but wary of getting caught.
We’ve already talked about this same principle in the context of the Google Chrome store, but the problem is orders of magnitude worse with Android. For one thing, there are hundreds of millions of individuals around the globe using Android devices. Beyond that, Android devices are likely to hold more sensitive data and applications than you’ll find on the Chrome Web store. Mobile banking and e-commerce applications provide access to bank and credit card accounts, SMS provides a way to siphon money from a user by way of dodgy premium texting services, and then there are the reams of data: e-mail, photos and documents that many smart phone power users are storing.
Google has done a superlative job building a secure operating system to manage all those sensitive applications. Symantec noted only 13 documented security vulnerabilities affecting Android in all of 2012 – a far cry from the 387 found and documented in iOS. The problem for the company is that the company made a (bad) decision years ago to cede control over Android to its business partners: the carriers and handset makers that sell mobile phones. That was all in the interest of fostering growth. That strategy surely worked. Around 70 percent of new smart phones shipped globally run Android, compared to 21 percent for iOS. (http://techland.time.com/2013/04/16/ios-vs-android/)
That has meant putting security in the hands of those same business partners, even though they don’t bear any of the costs or reputation damage from hacked or compromised devices. You don’t, after all, read headlines saying that “malware spreading on Verizon phones,” or “malicious apps targets AT&T phones.” You hear about attacks on Android. The carrier and handset maker, except in rare cases, don’t warrant mention.
Those partners have turned a blind eye to the kind of basic “policing” that needs to be done to keep the mobile ecosystem safe. While Google reliably pushes out operating system updates, handset makers and carriers drag their feet distributing those updates to vulnerable customers – worried, perhaps, about service disruptions or other support issues that might result. The latest data from Google highlights the challenge facing the company, with just over 16% of Android users running Versions 4.1 or 4.2 the latest versions of the OS, dubbed “Jelly Bean” more than six months after its release. In contrast, 44% of Android users are still running the “Gingerbread” release – Versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities. Add to that the proliferation of third party Android application stores, which operate with little or no oversight, and you have a mobile environment with lots of “broken windows.”
Symantec said 2012 saw a 58 percent increase in mobile malware families compared to 2011. Fifty nine percent of all mobile malware to-date was discovered in 2012. The number of variants within each family has also increased dramatically, from an average ratio of variants per family of 5:1 in 2011 to 38:1 in 2012. Malware authors, Symantec concluded, are spending more time repackaging or making minor changes to their threats, in order to spread them further and avoid detection. Almost all this malware, it must be noted, is for Android.
The situation has become so pronounced that the American Civil Liberties Union is calling on the FTC to take action against carriers – essentially asking them to force carriers to start patching vulnerable customer devices, or at least allow customers to have a free upgrade to a fully patched device.
Given the FTC’s recent history of rather toothless enforcement, we’re not likely to see multi-billion dollar telecommunications firms and their friends in Congress leap to the task of setting the Android marketplace to rights. Faced with such a diffuse problem, Google may need to take matters into its own hands: fixing the broken windows and cleaning up the virtual abandoned lots in its mobile ecosystem unilaterally to protect its own brand. The company could ban third party application stores, toughen identification requirements for mobile application developers and hammer out agreements with their partners to make sure that operating system updates are available to Android users in a timely manner. Stay tuned.