Security researchers like to tell us that malware authors have largely ignored the Mac because there aren’t enough users.
I think there are two reasons that they say this: the first is that it’s hard to disprove.
The Mac user base is rapidly growing (according to Apple, at 3-4 times the rate that the rest of the PC industry is growing) so when the next attack comes around the market share will indeed be bigger; and a little bit of hand-waving lets the experts navigate us past the fact that there isn’t necessarily a causal relation.
The second reason I’d like to offer is that it’s true; the “return on investment” for writing Mac malware is lower than that for Windows malware just because there are more infectable Windows systems.
While I’m channeling the marketing department, I could possibly investigate whether Mac support for a botnet is a “value-added differentiator” for cybercriminals ;-).
Anyway, readers with a mathematical bent might like to read When Malware Attacks (anything but Windows), a game-theory treatment which estimates that the tipping point comes when Macs account for 1/6th of the market share. When that magic number is reached, it will become financially worthwhile for a Windows malware author to “get a Mac”.
That seems a long way off, but I’m going to propose firstly that our idea of “Mac market share” is flawed, and secondly that the magic number is too high.
The proportion of computers on the internet running Mac OS X was estimated at 8% last month, and we know from Apple’s sales figures that there must be about 30 million Macs in use.
But what about the “other” OS X platform? What about the iPhone?
We also know from the fruity salespeople that there are at least 10 million iPhones knocking around (and presumably a few million iPod Touches have been sold, too).
If a bad guy can use a generic “OS X” exploit which targets the technology or features common to the Mac and the iPhone, maybe the Safari web browser, then the number of boxes they can reach shoots past 40 million, turning that 8% figure into 11% or 12% – still not close to 18%.
As for my second statement, that we need to reduce that magic tipping point number, my reason is simple. A compromised iPhone (or “0wned”, hence iPh0wn) is worth a lot more than a compromised Mac.
Macs, particularly laptops where Apple’s sales are strongest, are not necessarily always on and when they are not necessarily connected to the network; and when they’re off or disconnected, they aren’t going to be very productive as spam zombies.
Mobile phones on the other hand tend to be left on all day, and whenever they’re on, they’re online. So the amount of use the botnets get out of an iPh0wn is much greater than that they get out of a Mac.
The way people interact with each device is also different; when I’m at my Mac I’m absorbed in whatever I’m doing, but for most of the day my phone is left in my pocket. Perhaps I’m just not as popular as some other people. Not only would I then not notice if the phone in my pocket was running slowly or connecting to the network more, but in fact I wouldn’t know what it means to have a “slow” mobile phone, as there’s no CPU meter or process viewer.
Options for securing the iPhone are limited – there isn’t a firewall, and availability of third-party security software currently severely lags other, clearly more popular, genres such as flashlight simulators and lightsabre-swooshy-things.
This means that from the attacker’s perspective, every iPhone is the same – hack one of them and you hack them all.
So taking 0wnership of an iPhone is cheaper than a Mac, and the chance of the user noticing is much lower.
Put all of this together and the worldwide cohort of iPhone users seem like very juicy targets for malware attacks – and if the criminals manage to bag a few thousand Macs into the bargain, well that’s just the icing on a zombie-ridden cake.