At the RSA 2015 conference, researchers from security firm Damballa announced that, in the United States, you're much more likely to be struck by lightning than infected with mobile malware. While this supports a previous study carried out by the company, Damballa did find something very strange happening on mobile devices.
Tracking Malicious Traffic
Damballa's business is automated breach defense based on big data analytics. While working with a major U.S. wireless carrier, Damballa was able to compare traffic data to known malicious URLs extracted from some 70,000 mobile malware samples. "It was a bit of a manual process to remove the common domains that probably aren't associated with malware," explained Senior Scientific Researcher Charles Lever. "It was painful."
In their research, Lever said that Damballa did not have access to the payloads of these transmissions, just the URLs. The company made it clear that it had no visibility into customer data.
The scope of Damballa's study is enormous, focusing on some 151 million devices per day, up from 25 million when the company carried out the study in 2012. The company said that this amounted to 50 percent of mobile data traffic in the U.S. But of of these, the company only saw some 9,688 devices reaching out to URLs associated with mobile malware.
That works out to .0064 percent of the traffic being malicious. In the company's press release, Damballa said that the National Weather Services' official odds on being struck by lightning were significantly higher at 1.3 percent.
Safe Haven
Lever said that the study's conclusions supported the notion that while mobile malware has been much discussed in security circles (and by this author). "We're finding lots of malware samples, but I am not sure these samples are making their way onto their devices," said Lever.
"We have strong first-party markets in the U.S.," continued Lever, referring to the Apple App store and the Google Play store. He said that those stores have good security measures that have kept out the worst actors, and include tools that allow Apple and Google to remotely disable or remove malicious apps that might find their way onto users devices.
Of course, Damballa's study does have limitations. It is, for instance, focused on potentially malicious network traffic rather than actual malicious installations on mobile devices. It also only covers half of the U.S., which leaves much of the world unaccounted for. Lever said that it is possible that mobile malware infections could be much higher outside the U.S. "I could see it being higher but I couldn't say that empirically," said Lever.
Interestingly, of the malicious mobile traffic that Damballa observed, most of it would be characterized as adware.
Shadowy Traffic
But while mobile malware didn't make a big showing in Damballa's study, something else did. In addition to traffic that was associated with mobile malware, Lever explained that Damballa also tracked requests from mobile devices to other types of malicious infrastructure. This could be infrastructure for desktop malware, phishing operations, botnets, and so on. These requests to shady parts of the Internet by mobile devices was, Lever explained, significantly higher than requests to mobile malware URLs.
How much larger? By several orders of magnitude. Damballa reported 100,000 requests associated with mobile malware, which it traced to those 10,000-odd devices. It tracked 100 million requests to sites that appeared to be driveby downloads, and 1 billion (with a "b!") requests associated with malware that targets the desktop. Again, these requests are all coming from mobile devices.
Lever said that although these shady requests from mobile devices are "significantly larger than what we're seeing for mobile malware," their cause is largely unknown.
Lever suggested that some of the traffic could be coming from mobile users falling victim to phishing sites. Other security experts have suggested that phishing might be easier on mobile devices because the comparably small screen cuts off suspicious looking URLs and the lock icon associated with an SSL connection is not visible.
Throughout the conversation, Lever remained largely optimistic about mobile security, but when discussing these unusual findings, he took a decidedly negative turn. He said that while whatever was causing this enormous amount of suspicious network traffic might not be an issue today, it could be in the future. Or it may even be the result of currently unknown malicious applications.
"It's a large area of risk that isn't being well studied right now and could use more research to find out what this is," said Lever. "Is it phishing? Is it spam? What is the breakdown? And how much of it does currently affect mobile devices and how much could in the future?"
Hopefully future research will be able to put this puzzle together.
Image via Flickr user John Fowler
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
