New Research Finds Mobile Malware Infections Overhyped in US

By   ISBuzz Team
Writer , Information Security Buzz | Apr 28, 2015 05:05 pm PST

Research Conducted on 50% of US Mobile Traffic Finds You are 1.3 Times More Likely To Get Struck By Lightning Than Have Mobile Malware Communicating on Your Device

Damballa, a leader in advanced threat detection and containment, will be unveiling research on Wednesday, April 22nd at the RSA Conference, which details the overblown nature of the mobile malware problem. Damballa monitors nearly 50% of US mobile traffic. Based on this Big Data set, the research team set out to determine actual malware infection rates – not just samples found, or vulnerabilities/theoretical attacks. In his talk at RSA, senior scientific researcher Charles Lever will highlight the actual risks to devices, the number of devices seen communicating with known bad domains, and the comparison to historical rates.


  • Damballa originally did a study in the spring of 2012 to determine the extent of mobile devices contacting malicious mobile domains. At the time, Damballa monitored approximately 33% of US Mobile Data Traffic.
  • The same study was repeated in Q4 2014. Damballa now monitors about 49% of US Mobile Data Traffic
  • During the initial test period in 2012, researchers saw 17-25M mobile devices per day. During the new test period (Q4 2014), researchers saw 130M-160M devices per day.
  • They observed 2,762,453 unique hosts contacted by mobile devices.

Key Findings:

  • In 2012, monitoring 33% of US Mobile Data Traffic, Damballa saw 3,492 out of a total of 23M mobile devices – 0.015% – contacting a domain on the mobile blacklist (MBL)
  • In Q4 2014, monitoring nearly 50% of US Mobile Data Traffic, only 9,688 out of a total of 151M mobile devices contacted mobile black list domains (.0064%)
  • The National Weather Services says the odds of being struck by lightning in a lifetime are 0.01%
  • Only 1.3% (35,522) of “mobile” hosts were not in the set of hosts contained by historical non-cellular pDNS data. This means there is very significant overlap between wired hosts and mobile hosts, and mobile applications are reusing the same hosting infrastructure as desktop applications.

“This research shows that mobile malware in the Unites States is very much like Ebola – harmful, but greatly over exaggerated, and contained to a limited percentage of the population that are engaging in behavior that puts them at risk for infection,” said Charles Lever, senior scientific researcher at Damballa. “Ask yourself, ‘How many of you have been infected by mobile malware? How many of you know someone infected by mobile malware?’”

Lever continued, “Mobile operators and platforms have invested significant resources in preventing malicious applications from being installed, especially in North America. For example, iOS developers must submit an application for approval before their app is available on iTunes. And Google has developed “Bouncer,” a system that scans submitted apps for evidence of malware. So for a majority of the population, by simply staying within the authorized app stores for their respective devices, they will drastically reduce the risk of being infected with mobile malware.”

Brian Foster, CTO of Damballa, added, “While it would be naïve to think there is no risk in mobile, the true extent of mobile infections is still not widely understood. By providing an extensive network-level analysis, across millions of devices, Charles and his team are helping the industry better understand the underlying infrastructure of mobile traffic, and the risks that are likely to come in the future. By understanding these risks, organizations will be better able to apply network-based countermeasures to help detect and protect themselves going forward.”

About Damballa

As a leader in automated breach defense, Damballa delivers advanced threat protection and containment for active threats that bypass all security prevention layers. Born for breach defense, Damballa rapidly discovers infections with certainty, pinpointing the compromised devices that represent the highest risk to a business, and enabling prioritized response and refocusing of security experts to the areas of greatest risk to an enterprise. Our patented solutions leverage Big Data from one-third of the worlds Internet traffic, combined with machine learning, to automatically discover and terminate criminal activity, stop data theft, minimize business disruption, and reduce the time to response and remediation. Damballa protects any device or OS including PCs, Macs, Unix, iOS, Android, and embedded systems. Damballa protects more than 400 million endpoints globally at enterprises in every major market and for the world’s largest ISP and telecommunications providers. For more information, visit