Is mobile malware really the gigantic business threat it is made out to be by numerous security firms? If it is someone should tell Verizon's researchers who have once again struggled to find any to talk about in the firm's 2015 Data Breach Investigations Report (DBIR).
The DBIR is accepted as probably the industry's most comprehensive take on real-world data breaches, security incidents, malware types, and attack vectors, compiled from Verizon's large mobile user base, extensive list consultancy customers with contributions from 70 global security agencies, including huge Internet firms, national CERTS and even the US Secret Service.
If mobile malware is out there, Verizon is probably the best qualified firm on earth to see it, and yet the it devotes an entire chapter of the DBIR to a mostly fruitless search for evidence that mobile malware is being used on any scale to breach organisations.
After running eighteen passes or more on the data the best the firm can say is that from tens of millions of smartphones connecting to its network each week around 100 showed evidence of serious malware, almost exclusively on devices running Android. That's a fraction of a fraction of one percent of all threats at most. The rest of the unwanted applications it noticed it rated as bascially low-grade nuisance applications.
"We chopped, sliced, and flipped the data more times than a hibachi chef," said the report as if to emphasise the effort the firm went to find mobile threats.
Relating that to the 2,122 real-world breach reports and nearly 80,000 security incidents fed into its database for 2014, the firm said that mobile devices were involved on only very rare occasions.
"When we've looked for these devices we're not seen them in out breach data," confirmed Verizon risk team principal and report co-author, Jay Jacobs.
It's a head-scratcher perhaps but Jacobs is adamant that as far as larger organisations are concerned this is an over-rated threat.
"We see that it's a weakness, we know that users can be duped. But we're just not seeing it. Back off the hype a little bit. Mobile is not a pattern," he said.
"Most of the malicious software is annoying for the consumer. But when we filtered this out there was a tiny fraction that had malicious software on it."
The mobile malware that is out there is overwhelmingly opportunistic, short-lived attacks designed to mine a quick profit or grab some traffic, or push advertising through adware apps. Four out of five attacks don't last beyond a week and 95 percent were gone within a month.
Jacobs is not saying that mobile malware doesn't exist, nor that it is not a risk for consumers. But so far almost none of it is being used as part of the large number of detected attacks on organisations his firm deals with each year.
Sign up for Computerworld eNewsletters.