A Study Of Mobile Malware Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

The innovation of mobile phone applications/services has speeded up due to the major influence of internet on telecommunication for last two decades. The use of internet has increased on the mobile phones so the threat has also increased against the mobile phone and its services. On the other hand, these services are being attacked by different malicious software, or attackers. The growth of wireless applications have made possible for users to use their mobile phones more than a voice communicator extended to an increase in the functionality and features of the mobile phones and the size of the devices are small and able to fit in the pocket. As to the advancement of the technology now a day's mobile phones sold today include not only a camera, but also the extensive online access, key boards and the other typical computer functions.

Now a day's mobiles are more compatible same like computers and the laptops coming with all features with the advancement of technology there is also a development of the cyber-criminal fraud operations and the spread of the mobile malware. In this paper I discuss mainly with the security aspects of the mobile and the mobile malware and the solutions to minimize the risks against the emerging mobile threats and the vectors for spreading the mobile malware and the mitigation to different types of attacks on mobiles.



1.1 Mobile Devices and Malware

Mobile handsets are increasingly used to access services such as messaging, video/music sharing, and e-commerce transactions that have been previously available on PCs and servers only. However, with this new capability of handsets, there comes an increased risk and exposure to malicious programs (e.g., spyware, Trojans, mobile viruses and worms) seeking to compromise data confidentiality, integrity and availability of handset services.

Malware targeting mobile devices use traditional social-engineering techniques (email and P2P file-sharing), as well as vectors unique to mobile devices such as Bluetooth and SMS (Short Messaging Service) messages described below. The past three years alone have witnessed an exponential rise in the number of distinct mobile malware families to over 30, and their variants to more than 170. These malware can spread via Bluetooth and SMS/MMS messages, enable remote control of a device, modify critical system files, dam-age existing applications including anti-virus programs, and block MMC memory cards, to name a few.

Studying such viruses their capabilities, infection models and vulnerabilities they typically exploit is therefore an important area of research. The mobile viruses discovered so far have caused little damage as they require explicit user interaction for installation and activation. However, potential harm from future malicious agents can be more severe in the form of handset downtime, service disruption due to Denial-of-Service (DoS) attacks, physical damage to device hardware, and theft of sensitive data on the device.

Similar to email viruses, these agents may also target SMS/MMS services for distributing spam and phishing messages. There are several factors that make mobile devices particularly vulnerable to future mobile viruses. First, recognizing customer demand for data-rich cellular services, carriers around the world have been deploying 3G (third generation cellular) systems at a rapid pace. Currently, there are more than 130 3G networks [66] (WCDMA and CDMA2000 1X EV-DO) worldwide.

Many of these networks offer real-world data rates of 1.4Mbps and 128 Kbps for download and upload, respectively. The download data rates are expected to raise to 7.3 Mbps in early 2008 and 10.2 Mbps in 2009. At these rates, mobile users will be able to run many feature-rich applications on their mobile devices that traditionally require access to a high-speed enterprise network. The processing power (CPU speed and storage capacity) of handheld devices is also increasing rapidly.

Many smart phones already contain a full-fledged OS like Symbian, Windows Mobile and Palm OS, allowing users to download a wide variety of applications. Almost all of these OSs support services such as email, SMS/MMS, and application development in C++ and Java. Consequently, the malware writers increasingly find it easier to generate device-generic but vulnerability-specific malware for mobile devices. As a result, the current count of known mobile malware stands at 100, up from only 10 in previous years combined.

While there are a number of approaches to containing Internet worms and viruses, there are only a handful of solutions developed for mobile devices. These are limited to performing lightweight signature-based scanning of handset file system against a limited set of attack signatures. Although such an approach is acceptable today due to the limited number of mobile viruses discovered to date, signature-based solutions are clearly not memory efficient and do not scale well when dealing with a large number of malware signatures and their variations.

Another serious problem to scalability is that a mobile device may receive malware with payloads targeting both wired and wireless devices, e.g., the "crossover". This means that messages or data on handsets must be scanned for both mobile as well as regular malware this will require searching against a very large database of known signatures. Due to limited CPU power, storage and memory, installing large signature databases is not an option for mobile devices. Therefore, there is a tremendous need for detecting malicious agents on handsets using alternative means.

1.2. Objective

Our main contribution in this paper is to overcome these two challenges in the mobile operating environment. The starting point of our approach is to generate a catalog of malicious behavior signatures by examining the behavior of current-generation mobile viruses, worms and Trojans that have thus far been reported in the wild. We specify an application behavior as a collection of system events and resource-access attempts made by programs, interposed by a temporal logic called the temporal logic of causal knowledge (TLCK). Monitoring system call events and file accesses have been used successfully in intrusion detection and backtracking [28]. (Chen., 2005; S. Forrest, 1996)

In our approach, we reconstruct higher-level behavior signatures on-line from lower-level API calls, much like how individual pieces are put together to form a jigsaw puzzle. The TLCK-based behavior specification addresses the first challenge of behavioral detection, by providing a compact "spatial-temporal" representation of program behavior. The next step is fast and accurate reconstruction of these signatures during run-time by monitoring system calls and resource accesses so that appropriate alerts can be generated. (J. Cheng, 2007)

This overcomes the second challenge for deployment of behavioral detection in mobile handsets. In order to detect malicious programs from their partial or incomplete behavior signatures (e.g., new worms that share only partial behaviors with known worms), we train a machining learning classifier called Support Vector Machines (SVMs) with both normal and malicious behaviors, so that partial signatures for malicious behavior can be classified correctly from those of normal applications running on the handset. For real-life deployment, the resulting SVM model and the malicious signature database are preloaded onto the handset by either the handset manufacturer or a cellular service provider. These are updated only when new behaviors (i.e., not minor variants of current malware) are discovered. The updating process is similar to how anti-virus signatures are updated by security vendors. However, since totally new behaviors are far fewer than new variants, the updates are not expected to be frequent. (Shawe-Taylor., 2000)

1.3 Basic Assumptions/Limitations

This publication is in no way intended to be a complete future prediction or a reference, as future can never by fully predicted, that's the beauty of it. Instead, its intention is to discuss the possible future trends backed up by a little speculation, and also use some of the current ones as a foundation for future developments. Malware authors and antivirus vendors would never stop playing a cat and mouse game, that's the nature of the market, but as in any other, there are core factors affecting all the participants, and variables whose movements shape the future direction of events. In this publication, I did my best to cover the most significant ones, expressing entirely my point of view as an independent security consultant.


Mobile handsets, much like PCs, are becoming more intelligent and complex in functionality. They are increasingly used to access services, such as messaging, video/music sharing, and e-commerce transactions that have been previously available on PCs only. However, with this new capability of handsets, there comes an increased risk and exposure to malicious programs (e.g., spyware, Trojans, mobile viruses and worms) that attempt to compromise data con- fidentiality, integrity and availability of services on handsets. The first mobile worm Cabir appeared in June 2004 targeting Symbian OS and shortly thereafter, the anti-virus industry was startled again by the Windows CE virus, WinCE.Duts, which was the first file injector on mobile handsets capable of infecting all the executables in the devices' root directory.(F-secure, 1997)

The following three years witnessed a considerable increase in number of both malware families and their variants. By the end of 2006, the known number of mobile malware families and their variants increased by 59% and 75% from year 2005, reaching 35 and 186, respectively. Although mobile malware have not yet caused major outbreak, making some people mistakenly think that mobile malware exist only in the labs of anti-virus companies, their threats are far more real and mobile handsets are expected to become targets of increasing number of malware. (F-secure, 1997)

For example, in less than one year, the infection of both Cabir and Commwarrior worms have been reported in more than 20 countries and 0.5-1.5% of MMS traffic in a Russian mobile network are made up of infected messages (which is already close to the fraction of malicious code in the email traffic). In response to this increasing threat, a number of handset manufacturers and network operators have partnered with security software vendors to offer anti-virus programs for mobile devices. However, current anti-virus solutions for mobile devices rely primarily on signature-based detection and are thus useful mostly for post-infection cleanup. (F-secure, 1997)

For example, if a handset is infected with a mobile virus, these tools can be used to scan the system directory for the presence of files with specific extensions (e.g., .APP, .RSC and .MDL in Symbian-based devices) typical of virus payload. However, several important differences exist between mobile and traditional desktop environments, making conventional antivirus solutions less efficient or even unworkable for mobile devices. First, mobile devices generally have limited resources such as CPU, memory, and battery power. Although handsets' CPU speed and memory capacity have been increasing rapidly at low cost in recent years, they are still much less than their desktop counterpart. (F-secure, 1997)

In particular, energy-efficiency is the most critical requirement that limits the effectiveness of complex anti-malware solutions in battery-powered handsets. Because the signature-based approach must check if each derived signature of an application matches any signature in the malware database, it will not be efficient for resource-constrained mobile devices, especially in view of the fact that their malware threats will grow at a fast rate with soon-to-emerge all IP mobile devices based on Wibro and WiMAX technologies. The emergence of crossover worms and viruses that infects a handset when it is connected to a desktop for synchronization (and vice versa) requires mobile applications and data to be checked against both traditional as well as mobile virus signatures. Furthermore, signature-based detection can be evaded by simple obfuscation, polymorphism and packing techniques, thus requiring a new signature for almost every single malware variant. (F-secure, 2010; M.Christodorescu, 2005)

These all limit the extent to which the signature-based approach can be deployed on resource-constrained handsets. Second, most published studies on the detection of Internet malware focus on their network signatures (i.e., scanning, failed connection, and DNS request). However, due to the high mobility of devices and the relatively closed nature of cellular networks, constructing network signatures of mobile malware is very difficult. In addition, the emergence of mobile malware that spread via non-traditional vectors (i.e., SMS/MMS messaging and Bluetooth makes possible malware outbreak whose progress closely tracks human mobility patterns, hence requiring novel detection methods. (Shin, 2006; W. Enck, 2005)

Also, compared to traditional OSes, Symbian and other mobile OSes have important differences in the way file permissions and modifications to the OS are handled. Considering all these differences, we need a new lightweight classifier for mobile handsets that accounts for new malware behaviors. The goal of this work is to develop such a detection framework that overcomes the limitations of signature-based detection while addressing unique features and constraints of mobile handsets. (Shin, 2006)

An alternative to the signature-based approach, behavioral detection, has emerged as a promising way of preventing the intrusion of spyware, viruses and worms. In this approach, the runtime behavior of an application (e.g., file accesses, API calls) is monitored and compared against malicious and/or normal behavior profiles. The malicious behavior profiles can be specified as global rules that apply to all applications, as well as fine-grained application-specific rules. Behavioral detection is more resilient to polymorphic worms and code obfuscation, because it assesses the effects of an application based on more than just specific payload signatures. (W. Enck, 2005)

2.1 Literature Review

Recently, several behavior-based malware analysis and detection techniques have been proposed in the desktop environments to overcome the limitations of traditional signature-based solutions. We first compare and contrast our approach with related work in the area of behavior-based malware detection. Besides the difference in the target environment (mobile vs. desktop environments), several important features also distinguish our work from previous research. Early efforts, such as the one by Forrest, are designed for host-based anomaly detection. (S. Forrest, 1996)

These approaches observe the application behavior in the form of system call sequences and create a database of all consecutive system calls from normal applications. Possible intrusions are discovered by looking for call sequences that do not appear in the database. Later work improves the behavior profile by applying advanced mining techniques on the call sequences, e.g., rule learning algorithms, finite-state automata, and hidden Markov model. All these share the same concept of representing a program's normal behavior with system calls and detecting anomalies by measuring the deviation from normal profiles. However, because these approaches ignore the semantics of the call sequences, one of their limitations is that they could be evaded by simple obfuscation or mimicry attacks. (Shawe-Taylor., 2000; R. Sekar, 2001)

Christodorescu et al. proposed static semantics aware malware detection that attempts to detect code obfuscation by identifying semantically-equivalent instruction sequences in the malware variants. They apply a matching algorithm on the disassembled binaries to find the instruction sequences that match the predefined template of malicious behaviors, e.g., decryption loop. By abstracting away the name of register and symbolic constants, this approach is resilient to several code obfuscation techniques. (M.Christodorescu, 2005)

However, as it requires exact matching between the template and application instructions, attacks using the equivalent instruction replacement and reordering are still possible. Similarly, the approach proposed by Kirda et al. also uses static analysis of application behavior to determine a spyware component in a browser. It statically extracts a set of Windows API calls invoked in response to browser events, and identifies the interactions between the component and the OS via dynamic analysis. A spyware-like behavior is detected if the component monitors user behavior and leaks this information via some API calls. Our approach differs from those mentioned above in several ways. (E.Kirda, 2006)

The first difference lies in the definition of application behavior. Our approach observes the programs' run-time behavior at a higher level (i.e., system events or resource-access) than system calls and machine instructions. The higher-level abstraction allows the detection algorithm to incorporate more semantics of application behavior, thus improving the resilience to polymorphism and malware variants. Second, our approach employs a run-time analysis, which effectively bypasses the need to deal with code obfuscation, and also avoids the possible information loss of the static approach, since a static analysis often fails to reveal inter-component interaction information and or disassembly is not always possible for all binaries. (S. Forrest, 1996; Shawe-Taylor., 2000)

Third, in contrast to Forrest's anomaly detection which learns only normal applications' behavior or Christodorescu's misuse detection which matches against only malicious templates, our approach exploits information on both normal programs' and malware's behaviors, and employs a machine learning (instead of exact matching) algorithm to improve the detection accuracy. Since the learning and classification are based on two opposite-side data sets, this approach conceptually combines the anomaly detection with misuse detection and therefore, could strike a balance between false positives and false negatives. (S. Forrest, 1996)

There are also several existing works that leverage on the runtime analysis for improving the detection accuracy. Lee and Mody collected a sequence of application events at run-time and constructed an opaque object to represent the behavior in rich syntax [46]. Their work is similar to ours in that both apply a machine learning algorithm on high-level behavior representations. However, their work focuses on clustering malware into different families using nearest-neighbor algorithms based on the edit distance between data samples, while we emphasize only on distinguishing normal from malicious programs. (J.J.Mody, 2006)

Moreover, we use a supervised learning procedure to make best of existing normal and malicious program information while clustering is a common unsupervised learning procedure. Ellis et al. present a novel approach for automatic detection of Internet worms using their behavioral signatures. These signatures were generated from worm behaviors manifested in network traffic, e.g., tree-like propagation and changing a server into a client. Along the same line, NetSpy performs behavior characterization and differential analysis on the network traffic to help automatically generate network-level signatures of new spyware. (D. R. Ellis, 2004)

Our approach is different from the above two approaches in that we focus on the characterization of host-based behavior of mobile malware, incorporating a wide range of system events into behavior signatures. Previous researches we have discussed so far dealt primarily with the desktop environment and thus are not suitable for addressing malware in mobile settings which are capable of spreading via nontraditional vectors such as Bluetooth and SMS/MMS messages. To the best of our knowledge, this is the first attempt to construct a behavioral detection model for mobile environments. The most relevant to our work is the analysis of mobile viruses and worms (Shin, 2006; Helenius, 2006).

Many well-known mobile viruses and worms, including some of the malware mentioned herein, have been analyzed. Morales et al. test virus detectors for handsets against windows mobile viruses and show that current anti-virus solution performs poorly in identifying virus variants. There have also been recent studies to model propagation of such malware in cellular and ad-hoc (e.g., in Bluetooth piconets) networks. (J. A.Morales, 2006; G. Yan, 2006)

Cheng et al. proposed Smart Siren, a collaborative virus detection and alert system for smart phones. In Smart Siren, a centralized proxy collects the communication activities from a number of smart phones and performs a statistical analysis on the collected data to detect abnormal communication patterns such as excessive daily usage of SMS/MMS messages. (J. Cheng, 2007)


In order to develop robust general-purpose detection and containment methodologies, one must analyze current-generation malware to extract a set of their common behavior vectors. Several researches have been going on the mobile malwares which gave a better result that helped in decreasing the attacks and threats up to a little extent. The several recent research activities gave rise to some results over the malwares that are acting closely to affect the mobile devices.

Malware has become the greatest external threat to most systems, causing damage and requiring extensive recovery efforts. Several researches on malware are done and certain results came into existences which are playing a major role in this section.

3.1 Analysis of Mobile Viruses:

Malicious agents that specifically target mobile phones and handheld devices are on the rise. The earliest versions of these were considered harmless since these were not written to spread from one device to another. The most recent mobile viruses, however, are capable of spreading to nearby devices via Bluetooth, and, therefore, pose a more serious threat to enterprise networks. In what follows, we list the most common spreading mechanisms, target platforms, and client vulnerabilities of mobile viruses discovered to date. Further details on them are available on a number of security-vendor web sites. (Symantec. , 2000)

One of the earliest viruses written for handheld devices (Palm PDAs), the PalmOS Liberty. A virus (2001), had to be manually installed and executed for it to become active. The virus deleted all applications and databases on a Palm OS-compatible device. The Liberty virus and other similar Trojans by their design are not likely to spread quickly due to their manual infection process and therefore, represent a relatively low threat. (Symantec. , 2000)

A virus for Palm OS, called Phage (2000) was conceived mostly as a demonstration. It could spread from one PDA to another if infected files were shared via infrared beaming or a docking station. This was an improvement from manual infection.(Symantec. , 2000)

The Spanish Timophonica [105] worm (2000) was programmed to send SMS messages to random GSM phone numbers via a specific SMS gateway. Only reported in Spain, this worm represented the beginning of more advanced mobile viruses to come, since it modified MS Outlook settings and the device registry of an infected phone. If the accompanied Trojan code was successfully installed, it also deleted CMOS memory and Master Boot Records of the device. It could propagate via the Outlook email client using stored address book entries. Worms such as Timophonica are early examples of hybrid mobile malware since they can spread via both wireless and wired networks. (RAV, 2000)

The Japanese 110 worm (2000) took advantage of vulnerability in the NTT Do-CoMo i-mode mobile phones. This phone has a capability similar to "mailto:" available in html. Users can automatically dial a number by clicking on the linked number contained in an email or web page. Therefore, individual phone numbers in the address book can become victims of DoS attacks. (RAV, 2000)

More over mobile viruses have targeted Nokia series 60 cell phones running Symbian OS due primarily to their popularity and advanced features, such as Bluetooth and SMS/MMS services. These viruses can search for nearby Bluetooth-enabled devices using proximity scanning. Note that proximity scanning requires physical proximity (e.g., up to 10 meters for Bluetooth Class 2 devices) between an infected device and a target device, whereas SMS or MMS requires only a network connection between an infected device and the service gateway for sending messages and worm payload to other devices. Similar to email viruses, the mobile viruses use social engineering techniques to entice unsuspecting users to click on infected audio, video or picture attachments. Some examples are: (K. Lab. , 2006)

The Mabir (2004) worm spreads by selecting addresses of newly-received MMS messages. The primary damage from Mabir is the transmission of MMS messages. (K. Lab. , 2006)

Cabir (2004-2005) and its variants replicate over Bluetooth connections, and install the worm payload as a Symbian System Installation (SSI) file. Cabir drains the power of the infected phone as it continually scans for other Bluetooth devices nearby. An outbreak of Cabir was reported at the 2005 world athletics championships in Helsinki, Finland, affecting Nokia cell phones. (K. Lab. , 2006)

Lasco (2005) propagates by transferring its payload to any device in range. It attaches itself to SSI files on the compromised device. (K. Lab. , 2006)

Commwarrior (2005) is another worm that propagates by sending messages (along with the payload as attachments) to an MMS-enabled phone number randomly chosen from the compromised device's address book, and resets the infected device on the first hour of 14-th of any month. Once it infects a phone, it starts searching for nearby Bluetooth devices for sending infected files. A similar virus, Minuka (2004), finds targets from SMS address books at predetermined web sites. Mos (2005) is a variant of Minuka that dials a high-cost phone number (e.g., 1-900). (K. Lab. , 2006)

Skulls (2005) is a Trojan that propagates by sending both SMS and MMS messages, and overwrites many default phone applications such as the address book, and e-mail viewer and to-do lists. Many variants of Skulls have been observed in the wild. (K. Lab. , 2006)

Drever (2005) propagates by prompting a user to install an update for Symbian OS. The primary damage from this Trojan is disabling Symbian antivirus programs (Sim-Works) on the device. (K. Lab. , 2006)

Locknut (2005) is another Trojan that propagates similar to Lasco, but overwrites ROM binaries and may crash the OS. It can also drop variants of Cabir on the infected device. (K. Lab. , 2006)

Cardblock (2005) is the first known malware to attack MultiMedia Cards (MMC) flash memory of mobile phones. It is a trojanized version of Symbian application Instant Sis that allows users to repack already-installed SIS files and copy them to another phone. However, when users try the trojanized version, a payload blocks the memory card by setting a random password to it and deletes critical system and mail directories. (K. Lab. , 2006)

Redbrowser Trojan (2006) is the first malware targeting J2ME (Java 2 Mobile Edition) phones and represents a major evolution in mobile viruses. Instead of focusing on high-end smart phones running on Symbian or Pocket PC, it works on many low-end phones with J2ME support. Redbrowser pretends to be a WAP browser offering free WAP browsing and SMS messages. The purpose is to use a social engineering technique to fool the user into sending SMS messages. However, it actually sends a flood of SMS messages to a specific number and therefore, can cause financial damage to the user. (K. Lab. , 2006)

3.2 Attacker Tools

Various types of attacker tools might be delivered to a system as part of a malware infection or other system compromise. These tools allow attackers to have unauthorized access to or use of infected systems and their data, or to launch additional attacks. Popular types of attacker tools are as follows

Backdoors. A backdoor is a malicious program that listens for commands on a certain TCP or UDP port. Most backdoors allow an attacker to perform a certain set of actions on a system, such as acquiring passwords or executing arbitrary commands. Types of backdoors include zombies (also known as bots), which are installed on a system to cause it to attack other systems, and remote administration tools, which are installed on a system to enable a remote attacker to gain access to the systems functions and data as needed.(K. Lab. , 2006; G. Yan, 2006)

Keystroke Loggers. A keystroke logger monitors and records keyboard use. Some require the attacker to retrieve the data from the system, whereas other loggers actively transfer the data to another system through e-mail, file transfer, or other means. (K. Lab. , 2006; G. Yan, 2006)

Root-kits A root kit is a collection of files that is installed on a system to alter its standard functionality in a malicious and stealthy way. A root-kit typically makes many changes to a system to hide the root-kits existence, making it very difficult to determine that the root-kit is present and to identify what the root kit has changed. (K. Lab. , 2006; G. Yan, 2006)

Web Browser Plug-Ins. A Web browser plug-in provides a way for certain types of content to be displayed or executed through a Web browser. Attackers often create malicious Web browser plug-ins that act as spyware and monitor all use of the browser. (K. Lab. , 2006; G. Yan, 2006)

E-Mail Generators. An e-mail generating program can be used to create and send large quantities of e-mail, such as malware, spyware, and spam, to other systems without the user's permission or knowledge. (K. Lab. , 2006; G. Yan, 2006)

Attacker Toolkits. Many attackers use toolkits containing several different types of utilities and scripts that can be used to probe and attack systems, such as packet sniffers, port scanners, vulnerability scanners, password crackers, remote login programs, and attack programs and scripts. (K. Lab. , 2006; G. Yan, 2006)

In addition to malware, there are also a few common non-malware threats that are often associated with malware. Phishing uses computer-based means to trick users into revealing financial information and other sensitive data. Phishing attacks frequently place malware or attacker tools on systems. An additional malicious content threat is virus hoaxes false warnings of new malware threats.

The below figure depicts the comparison of mobile activities and the percentage of the malware activities which are playing a vital role.

3.3 Effect of viruses on mobile devices:

Widen themselves through Bluetooth and MMS

Posts SMS and MMS without your knowledge

Contaminate Files

Send contaminated files to people in other name (via email, WiFi, Bluetooth, etc.)

Deletes the personal information (e.g. address book, file, etc.) or steal confidential information

Immobilize functions on the phone (SMS, games, cameras, etc.) or completely disable the whole device

Permits exterior admittance to smart phones

Swapping file icons and system applications

Amend fonts and install additional applications

Fight anti-virus functions

Install other harmful programs

Transfer malicious code from the Smartphone to a PC upon connection

Locks memory cards

Use up the phone battery much faster than usual

filches information

CHAPTER 4 Conclusions and Future Work

Malware is a serious threat and the problems are getting worse. Authors of malware are becoming more adept at circumventing the billions of dollars in anti-virus, anti-spyware and other endpoint security defenses that have been deployed by organizations of all sizes. At the same time, many anti-virus and anti-spyware tools have not kept pace with the threats. They are less effective at detecting the growing array of threat variants, they impose a huge burden on system resources and they are expensive to deploy and maintain. Therefore, there is a need to provide high detection and proactive protection against known and unknown types of malware, an integrated approach to dealing with viruses, spyware, root kits and other threats from malware and robust management tools that will minimize administrator involvement in the process of manage threat remediation.

While mobile malware is a newer field of exploitation, there is mounting evidence that it can and will benefit from the application of many techniques honed by cybercriminals with traditional computer malware. While these similarities may help anti-virus companies anticipate some of the moves, there are equally serious factors that suggest an increasing risk. The operating systems are newer, yet they, too, are laden with vulnerabilities. Add to that the fact that users are generally less suspicious of there being an intrusion of malware on their phones and other mobile devices. Less suspicion means that they are far more likely to become innocent victims who only increase the speed and penetration of mobile malware. Mobile device vendors, most already operating in highly competitive markets, may be faced with a special challenge maintaining the image of the products and services they offer while simultaneously needing to educate users about potential vulnerabilities. As we have learned with traditional malware, protection at every point will likely be necessary to successfully thwart the cybercriminals.

Next-Generation Technology is needed

There are a number of good anti-virus and anti-spyware products on the market offered by leading and not-so-leading developers. Some products offer reasonably high detection rates, fairly quick updates of new signatures and minimal impacts on system performance. However, some products do not provide acceptable levels of performance. They are slow to react to newer types of threats, such as the newest types of spyware.

Some consume enormous system resources; and some are not designed to deal effectively with "grayware". Those applications that typically is more annoying than threatening, such as those that display popup windows or track user behavior. As a result, the anti-virus and anti-spyware industries are in need of something of an overhaul. For example, while there are discrete anti-virus and anti-spyware products available today, there is no appreciable difference between viruses, Trojans, worms, spyware and other threats from a user's or administrator's perspective. These threats are merely different forms of malware, any of which represent a serious risk to users and organizations alike. It makes sense, therefore, to integrate discrete anti-malware capabilities into a single, integrated platform. An anti-malware system should be designed from the ground up as an integrated set of capabilities that offers:

A high rate of detection for various types of malware, whether the threat is a virus, Trojan, keystroke logger, adware, etc.

High-speed detection of threats.

Minimum imposition on system resources.