The creation of Android malware is now mature enough for there to be development cycles that mimic those of the legitimate software world, a report from Juniper Networks has concluded.
According to the firm’s annual survey of the field (registration required), the ‘high’ season for new mobile malware during 2012 ran between roughly November and February, with a marked drop-off in volume over the late spring and summer.
The firm admits that it can only guess why this happened but believes it could be connected to a ‘productisation’ of the malware market as criminals targeted new devices sold during the peak Christmas season.
Overall malware volume went from 39,000 malware samples in Q1 2012 to 276,000 in the same quarter of 2013, a daunting rise in numbers even if still small compared to the levels of activity affecting Windows desktops.
One important consolation is that mobile malware is considerably less sophisticated than Windows equivalents, with nine out of 10 malware samples falling into only two attack methods – premium SMS fraud (which includes fake Trojan apps) and data theft.
The overwhelming majority of these threats come from third-party app stores, of which there are around 500 globally and three fifths aimed at Chinese and Russian consumers; the US hosts 76. Almost all are Android-oriented although the several million jailbroken iOS phones also put themselves at a smaller risk by relying on non-Apple channels for apps.
Juniper said it believed that Android was now well on its way to reproducing the monoculture of Windows, with knock-on consequences for security.
Google’s ability to defend its platform was made more difficult by the fragmentation that marked the OS’s early commercial development. Eight out of 10 threats could be neutralised by more regular updates, something Google is undoubtedly aware of; only 4 percent of Android devices currently run the latest version of the OS, Juniper said.
The boom in mobile malware hinted at the ease with which criminal organisations could attract programming talent, the firm said. This contrasted with the difficulty businesses had in hiring the parallel cyber-security talent needed to fight back.
“While the UK is struggling to nurture talent to fill the cyber-security skills gap, the black market is booming with mobile malware developers,” argued Juniper’s UK and Ireland vice president, Mark Quartermaine.
“As these attacks become more and more multi-faceted, organisations need to recruit the right talent and deploy intelligent security solutions to ensure they have robust protection against next-generation threats,” he said.
It’s not clear that the two talent pools are necessarily the same, but that doesn’t mean pay and conditions don’t play a part in some countries.
“If you’re a newly qualified computer science graduate, the perception that jobs are hard to come by combined with the stuffy image corporate environments are lumbered with can make it an unappealing career prospect,” suggested Oliver Crofton, ethical hacker and co-founder, Vigilante Bespoke.
“Compare that with writing some malicious code from the comfort of your own bedroom, high tax-free earnings, hours you can pick and choose, and the likelihood of going to prison almost zero; it’s no wonder cyber-crime is booming.”