I participated in a Twitter chat last week premised on the notion that mobile malware exists, and we discussed what can you do to prevent it on your devices. The notion of malware on mobile devices has been around for a while, and every three to six months, you see an article proclaiming that the last quarter or so has seen even more mobile malware in the wild.
These articles scream out facts like there were more than 90,000 pieces of malware detected last year, and they quote a security vendor or consultant about best practices for protecting your devices. They tell you the majority of malware is Android-based, but there is some iOS malware as well. After these stories come out, you can expect Microsoft and BlackBerry to trumpet the fact that they don't have little or any malware, so you should really think of moving to their mobile platforms.
Are you sufficiently scared yet? Good -- you're supposed to be. But you shouldn't be.
The problem is you're sitting in a field of cow patties while a bunch of journalists and vendors compete to see who can throw one the farthest. It's all a bunch of crap designed to get you to buy software that claims to protect you from these threats. In most cases, this software does absolutely nothing but slow down your mobile device. If you have an iOS device, the software can't even scan what's happening in other apps, so it's useless. (Apple blocks such app inspection, so malware can't jump from app to app, which is why iOS is rarely compromised by malware.) If you have an Android device, it is also dubious whether malware detection software actually works.
This doesn't mean malware doesn't exist or isn't an issue. It just means we have to adjust the perch that we are looking from. These days, the majority of the malware is not in either the Apple App Store or the Google Play store. Apple has been vigilant about malware and has a very good record with keeping it out of its store. Google was not so vigilant, so its store hosted a lot of malware, but in the last year Google has ramped up its efforts keep the malware out.
If you get malware on your mobile device, it won't be from the Apple App Store, and it's increasingly unlikely to be from Google Play.
If you have an iOS device, you're going to get infected with malware if you jailbreak the device and start "sideloading" apps. Some people do this to get pirated apps; others do this to get apps with more functionality. The problem is that no one checks these apps, and it is very easy for someone to add malware to one.
Android, on the other hand, gives users the ability to sideload apps by simply unchecking a settings option -- no jailbreaking ("rooting," in Android parlance) required. Users have good reason to sideload apps this way: The Amazon.com app store, for example, requires this setting to be unchecked to deliver Amazon's Kindle-oriented apps to an Android device. When it comes to Android, there are hundreds of app stores, any of which could have malware.
This is why the areas with the highest prevalence of malware are in Asia and Eastern Europe, where there are high proportions of Android users and many third-party app stores that either have some malware or are really malware honeypots. A recent example involved a group of Tibetan activists hit with Android malware sent through a phishing email that contained an app allowing the activists to send free messages over the Internet. Once the activists installed the app, their devices were compromised.
The secret to avoiding malware is simple: Instruct your users to download apps only from known sources. Discourage them from jailbreaking or rooting their device, and perhaps use MDM tools that detect such jailbreaking or rooting and block their access to your network. Warn them about the perils of sideloading apps from outside the Apple App Store or Google Play.
In short, educate your users. Explain to them what they risk if they don't use their common sense to protect themselves. Tell them, "Yes, those really could be naked pictures of Anna Kournikova that your mom or your boss sent you, but most likely it's a piece of malware you shouldn't click."
Yes, malware writers will get more sophisticated and find new ways to infect your devices, but for now a little common sense and reason will go a long way to minimize the risk.