Even in 2016, the word "malware" probably brings PCs to mind first and other devices only later. Part of this is because of the long-term dominance of Microsoft Windows in both the enterprise and consumer sectors.
At the beginning of 2016, Windows 10 was already installed on at least 200 million devices, less than one year after its release (for comparison, Apple took eight years to cross the 1 iOS billion devices sold threshold). That number is still small compared to the total number of Windows PCs out there: Windows 10's market share is not much larger than that of the 15-year-old Windows XP and still well behind the 7-year-old Windows 7.
But mobile operating systems like Android and iOS have together overtaken the desktop, at least when it comes to Internet users. ComScore estimated that the tipping point came in 2014. Have these platforms also taken up a similar share of cyber criminals' attention?
Mixed signals of what the malware threat looks like beyond desktop
It depends on who you ask. One security vendor noted a clear jump in the scale and sophistication of mobile malware between 2014 and 2015, with a growing number of threats utilizing ransomware, SMS Trojans and banking Trojans for monetization. A 2015 Trend Micro report also predicted a sharp uptick in mobile malware in 2016, thanks largely to third-party app stores in China.
However, others, such as the preparers of the 2016 Verizon Data Breach Investigations Report, have been less impressed with what cyber criminals have been able to come up with so far.
"For those looking for proclamations about this being the year that mobile attacks bring us to our knees or that the Internet of Things is coming to kill us all, you will be disappointed," they wrote in the report's introduction. "We still do not have significant real world data on these technologies as the vector of attack on organizations."
So which is it? Probably a bit of both. Organizations shouldn't panic about the new malware on the market, but they also shouldn't underestimate the potential of the next generation of threats to attack devices other than Windows-based PCs.
Cars as a case in point
Consider the case of connected cars, which are becoming a bigger slice of the automobile market. By 2020, up to 70 million new cars could ship each year with built-in IP network connectivity, according to one security vendor. As we know, wherever there is Internet access, there is the risk of malware dissemination and hacking.
Quite a few vulnerabilities have already been uncovered in today's network vehicles:
- Dongles that plug into on-board diagnostics systems could carry malware. The risk was proven a few years ago with a Zubie device.
- A Jeep Cherokee was hacked as a proof of concept, through exploitation of its onboard infotainment system.
- Models ranging from the Tesla Model S to the Jaguar XFR have had questions raised about the integrity of their cyber security mechanisms.
While most cars do not yet rely on Internet connectivity for basic tasks such as navigation or software updates, the extent of these risks makes the case for endpoint security software and antimalware solutions that address more than just desktop PCs and mobile devices. Protection must be modified to guard against threats that could digitally hijack a car or shut down a home appliance.
In other words, cyber security software has to be extended beyond PCs and into cars and the IoT. Windows PCs may still be the biggest magnets for malware, enterprise security teams have to be prepared for a changing environment.