The history of PC malware and the future of mobile malware
Over the past few decades, different types of malware have regularly been in the news: Worms, trojans, spyware, backdoors, ransomware, RATs, adware, cryptojackers and viruses have all gotten their 5 minutes of fame. These types of attacks have become common enough that everyone working with computers is aware of their existence. While the history of personal computer-based malware goes back at least to the 1980s, the history of mobile malware began in the mid-2000s. Can we learn something from the malware of the past, and if we can, is it possible to predict something about the future?
How did malware start?
The first types of malware were written primarily as pranks. Back when people used to copy floppies from each other, it was not uncommon that you might get infected with a virus that would become resident in memory on your computer. That way he next floppy you copied would also get infected. The first internet worm (a self-propagating virus), the Morris worm of 1988, was similarly mainly a prank that got out of hand; according to Robert Morris, the goal was only to measure the size of the internet. Things were different back then; Norway avoided the Morris worm because someone got a phone call and simply unplugged the country from the internet.
PC-malware thought the years
After a few other, mostly annoying, worms and viruses, the first more dangerous tools showed up in 2002, with the first Remote Administration Tools (RATs), initially created to spy on people. Attacks targeting the banking industry first appeared in 2007 with the Zeus and Gozi malwares. Descendants of these are still active today.
In 2013 the first ransomware malware was discovered; it encrypted files and tried to get you to pay to get them unlocked. These early worms and viruses spread through email and phishing, similar to how malware still spreads today. An interesting development is that this year (2020) it appears that Apple Macs have surpassed Windows-based PCs in the number of malware infestations. The reason is partly due to the increased popularity of Macs. However, it is also likely that Microsoft's focus on security - bundling antivirus software, a good firewall and dropping support for Internet Explorer - has something to do with the reduction in PC based malware.
Malware on mobile devices
The same types of malware are, of course, found on mobile devices. The first real worm, which spread from phone to phone was the Cabir worm of 2004, which spread through Bluetooth on Nokia's Symbian devices. Spyware made its first appearance in 2007, and ransomware appeared the same year as it's PC based counterpart, with FakeDefender in 2013. A common thread with these types of malware is that they spread through phishing and the attackers often trick the users into downloading the malware from a website or an alternative app distribution channel.
Is there something to learn from the PC-based malwares?
The vector for malware is still mostly the same when comparing PC and mobile-based malware: They spread through email and phishing. However, PC-based malware has a long history of trying to spread to other PCs through network vulnerabilities. The way the malware communicates with their originators has changed from hand-crafted "command & control servers" to distributed networks of infected PCs where the owner of the PC is unlikely to be aware of the infection. Something similar will likely happen on the mobile side. As phones have gotten more and more powerful, the next generations of phone-based malware will probably try to infect other phones directly (e.g. with MMS messages). Instead of operating with control servers as a single point of failure, a distributed network of infected phones might be at the core of future malware.
What can we do to avoid this future? Google clearly has a big job to do with Android. Today Android is quite fractured, and too many users don't receive security updates on . It is tempting to compare the situation today with how Microsoft had to give away Windows 10 for free, merely to get enough new users on the platform. Similar to how a PC from 10 years ago might still be perfectly fine hardware-wise, a high-end phone from 3 years ago still has some life left in it. Perhaps Google could release their own Android distribution for phones abandoned by their original makers?
We at Okay try to help banks, card issuers, PSPs and eWallet providers to protect their transactions from malware. On our product pages, you can read more about how the Okay SCA platform protect identification and authentication processes.