Mobile malware crisis? Not so fast

There's been a flurry of coverage of mobile malware over the past few days, including two separate reports declaring both 2011 and 2012 "the year of mobile malware.

Much of that worry flared up following a Juniper Networks report last week asserting that Android malware has increased 472 percent since July--on top of a 400 percent jump between 2009 and the summer of 2010.

Android's open app marketplace is at the root of that problem, Juniper concludes.

'You Should Be Ashamed'

Not everyone is buying it, however. Chris DiBona, Google's open-source programs manager, last week used Google+ to expound his own views on mobile malware, and they're nothing if not opposed to the ones currently in wide circulation.

"Virus companies are playing on your fears to try to sell you bs protection software for Android, RIM, and iOS," DiBona charged. "They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM, or iOS you should be ashamed of yourself."

'They Haven't Gotten Very Far'

The malware that has afflicted the major smartphone platforms so far doesn't compare with what Windows and some Mac machines have seen, DiBona explained.

"There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels," he wrote. Linux desktops, meanwhile, have avoided significant problems, he added.

It's not that viruses aren't possible on mobile platforms, DiBona noted. They aren't probable, however, thanks to barriers preventing the spread of such programs from one phone to another, he said.

'Much More Than Just Antivirus'

Both iOS and Android use Webkit-derived browsers, are based on open source kernels, use numerous open source libraries, and depend on the GNU Compiler Collection (GCC), he added. In addition, "all the major vendors have app markets, and all the major vendors have apps that do bad things, are discovered, and are dropped from the markets."

Policy engines, meanwhile--or tools for managing devices from an corporate IT department--are "not the same thing at all," DiBona pointed out. But when vendors of such products add virus protection, "that part is a lie," he charged. "Tell your vendor to cut it out."

Security providers, not surprisingly, have disputed DiBona's claims.

"What @cdibona is missing is that these tools do much more than just Antivirus: Antitheft. Remote lock. Backup. Parental control. Web filter," tweeted F-Secure's Mikko Hypponen, for example.

An Exaggerated Picture

DiBona has a good point when he notes that mobile malware still pales in comparison with the Windows malware that has plagued--and continues to plague--the computing world.

It's also important to remember that many of the statistics to emerge recently sound a lot more alarming than they are, given that they're comparing today's malware situation with a base of essentially zero, when mobile platforms first emerged.

If Android started out with one instance of malware and then grew to six, that could be described as a drastic 500 percent increase while still remaining relatively insignificant, as my colleague Tony Bradley points out.

Finally, I also agree with DiBona that it's wrong to put the blame on open source as the cause of any security problem.

An Exploding Platform

To completely discount the value of efforts to combat mobile malware, however, is extreme. Given the rate at which mobile platforms in general are growing, it seems a pretty safe prediction that malware is going to follow, just as it did on the desktop side.

No operating system is perfectly secure. Even desktop Linux users sometimes install anti-virus software for extra protection, after all.

The majority of Android malware today comes from outside the Android Market, from what I've heard, and never even makes it onto most users' radar. It's also unlikely to spread.

Will that remain the case? Maybe, or maybe not. In the meantime, it doesn't seem like a bad thing to have people on top of it - just so long as we can keep their warnings in perspective.