I have a message for Americans with smartphones: Don't install anti-virus software. It's a waste of money. And I have a message for the security industry: Forget trying to make money on AV products. It's time to move on to something a lot more effective.
Why I'm anti-anti-virus
My anti-AV stance is based on mounting evidence that malware is at best a minuscule threat on mobile devices and AV doesn't work. Let's start with the nearly nonexistent threat.
Researchers at the Georgia Institute of Technology and security vendor Damballa found during a three-month study that 3,492 out of more than 380 million mobile devices had malware, which amounts to an infection rate of 0.0009 percent.
To help put that number in perspective, the odds of being killed in a cataclysmic storm in the U.S. is 1 in 126,158, or 0.0008 percent, according to data gathered by the National Safety Council. So you're more likely to die in a storm than have to deal with malware.
The Georgia Tech study, partly funded by Damballa and the National Science Foundation, was based on an analysis of domain name system traffic collected from a major U.S. cellular provider and non-cellular Internet service provider. The researchers identified the domains looked up by mobile applications and analyzed the Internet hosts of the domains.
The study also found little difference between the domain requests of mobile applications running on smartphones or tablets powered by Apple iOS or Google Android. This means that people using either platform are just as likely to communicate with "known low reputation domains." This finding calls into question the perception that iOS provides greater security than Android, according to researchers.
Besides the Georgia Tech study, Google released the results of its own research at the Virus Bulletin conference, held in Berlin this month. The company's own analysis found that only a small fraction of a percent of applications were able to evade the multi-layered defenses in Android and cause harm to the user, Adrian Ludwig, Android security chief, told conference attendees, as reported by the news site Quartz.
AV products miss a lot
Everyone knows that apps for the iPhone are only available through Apple's App Store, and the company vets each app before making them available. While nothing is perfect, most experts would agree that this system provides solid malware protection.
Because Android accounts for nearly 80 percent of the smartphones shipped worldwide, almost all mobile malware targets the platform. Therefore, AV would be a logical precaution.
Unfortunately, the products give a false sense of security. A study by researchers at North Carolina State University found that the rate of detection of AV software varied from roughly 80 percent to as low as 20 percent. The findings were based on a collection of 1,260 samples taken from 49 malware families.
If not AV, then what
The NCSU study concludes that the results "clearly call for the need to better develop next-generation anti-mobile-malware solutions," and I couldn't agree more. AV products have been around for more than 25 years, and it's time to move on.
Criminals have honed their evasive techniques to the point where the reliability of AV products isn't worth the sacrifice in performance and battery life on a smartphone. Instead, security should be built into the device's hardware and software and cellular carriers have to aggressively monitor their networks and prevent the bad stuff from ever reaching subscribers.
Charles Lever, a Ph.D. candidate at Georgia Tech and one of the researchers on the malware study, said he and his colleagues spotted malicious domains well before the security community found the malware. Lever, who works as a part-time researcher for Damballa, believes there's plenty of information in the network that can be mined to identify threats.
"Looking at the network is kind of the direction this work shows we should be heading," Lever said.
AV software is still needed in desktops and laptops, which are where it should remain. Mobile devices are ushering in a new era in computing that needs next-generation security.