One of the world’s top experts on network theory thinks that we could be overdue for an epidemic of smartphone malware and viruses. Albert-László Barabási, author of Bursts: The Hidden Patterns Behind What We Do, feels that inherent flaws in the app store model and Google/iPhone/Microsoft/BlackBerry firmware make smartphones fertile territory for fraud. In his lab at Northeastern University’s Center for Complex Network Research, Barabási’s research team of Pu Wang, Marta Gonzalez, and Cesar Hidalgo wrote one of the first pieces of academic literature on mobile phone viruses back in 2009. Their journal article… well, it wasn’t optimistic.
Since then, criminals, hackers, and rogue programmers worldwide have slowly been waking up to the possibilities of smartphone viruses and malware. This past April, for instance, McAfee researchers discovered a piece of malware in the Google Play market aimed at Japan that promised to show short sex films or trailers for upcoming video games… while uploading a naïve user’s contact information, phone number, and phone data off-site. Via email, McAfee’s Carlos Castillo told Fast Company that Android malware is currently found primarily in foreign markets and that “the official Google Play market is not infallible because it is still possible to find malicious applications available for download. In this case the malicious apps were in Japanese but we have seen also in the past threats targeting English-speaking users.”
Fast Company spoke with Barabási last month at the TEDMED conference in Washington, D.C., where he discussed using social network theory to map proteins. Here’s what he had to say about smartphone malware and viruses:
FAST COMPANY: Can you talk a little bit about your laboratory?
BARABASI: We look at complex systems and figure out how to control them. Control has many different meanings. If you think of any field of science, you can say that you want to measure it and quantify a system; that’s how we do many things. That’s how we fly, that’s how we make electronic devices, that’s how microprocessors work. We answer the question “If you have a very complex system in a critical network, could I use the network diagram to infer how to control the system?” What we can infer is which parts need to be controlled–the nodes that, if you have access to them, you can manipulate their behavior by changing the signals to them. Once you’ve done that, you can control the whole system. It’s similar to a car; a car has about 5,000 components, yet you control a car with only three components–the steering wheel, the gas pedal, and the brake.
Another aspect of our work is that we look at social networks, ranking problems, and how you rank individuals and mobility. We have an ongoing project at the lab where we try to understand social networks.
Tell us about the research your lab did on mobile phone viruses and malware.
In the past few years, we’ve been working together with a mobile phone company from Europe that has really provided us with access to their user base. This means that we knew who people called, when they called them, and where they were when they made these phone calls. That data was available for a seven-year period, and it was extremely detailed information we could use in an objective manner. We saw not only what users were doing, but what they thought they were doing (like the answers they would fill out in a survey) too. We used that in a number of different areas. We used it to simply look at the social networks of individuals, we used it to examine peoples’ mobility, and we also used it to examine the basic laws of how people interacted with each other. However, we also looked at human predictability. The question we asked ourselves was “If I gain access to your location data–like where you’ve been for the past few months–could we predict your future activity? Can we predict where you’ll be tomorrow at 2 p.m.? We found out the answer, and it surprised even me. On average, a person is 93% predictable. This degree of predictability means that if I gain access to your location, then I’ll know where you are 93% of the time. That’s a very solid number that many people followed up on; similar data was found.
So even if you don’t think your habits are predictable, odds are that they are still predictable?
We usually go to the same places repeatedly. This is because our memory is very biased towards the unusual things we do. We don’t remember going to work every morning at 8 a.m. or returning home at 5 p.m. because we don’t have to remember that. If you start tweeting “I’m at work,” “I’m at work,” “I’m at work,” it becomes very boring after a while. What you tweet about and report about are things that deviate from the normal path. Our memories are largely determined by deviation and the percentage of the time when we don’t do the things that we normally do. The numbers are also very similar from person to person. If you take you and me, for example, chances are that we aren’t more than 5% different from each other in terms of predictability.
One area where we use this is in building probability patterns. Another area is to look at the spread of mobile viruses.
So why mobile viruses?
At a recent talk, I asked people to raise their hands if you ever had a mobile phone virus. Very few people raised their hands, only two or three out of 100. It doesn’t mean they don’t exist now–there are already more than 1,000 documented viruses out there. The fundamental challenge for us is why we don’t see them; and it’s not because the viruses aren’t good enough. When scientists studied these viruses, they found that they evolved much more within a five-year timespan than computer viruses had in a 20-year span. They’re evolving really quickly and becoming more sophisticated.
One issue is that distribution lies in the social network. Let me be specific. We have a diversity of operating systems in the mobile phone environment. A mobile phone virus can only spread across one type of phone operating system. It’s just like how a Windows virus can’t infect a Mac. Now, while Windows dominates the desktop/laptop computer world, we don’t have a similar situation in the mobile phone domain. There are a wide variety of mobile phone operating systems out there; typically fast-spreading mobile viruses are spread via MMS (multimedia messaging service -Ed), acquires your contacts, and then spreads itself towards your friends. A lower-spreading version is the Bluetooth virus, which takes a longer time to spread and is easier to detect because you have to wait for another Bluetooth device to come into contact.
The really dangerous virus for mobile phones is the MMS virus. However, the reality when you look at a contacts list/address book is that most people on it won’t have the same type of phone as you. If you look at your contacts who use the same operating system as you, those islands don’t necessarily connect with you. The result is that if you launch a virus from my phone, it will get stuck in this island of you and your friends who use the same phone as you–and it won’t spread beyond that. Therefore, even if you could launch a very sophisticated virus, it would get stuck in one of these islands.
Can you say more about that?
Now… if the market share of the phone I have increases, the islands begin to connect to each other. In that case, we have a global outbreak–and, indeed, we predicted this two years ago. About six months later, China reached about 9% of phones using a single operating system. By autumn, they had a major breakdown following almost the same process that we predicted. I believe this cost them around $300,000 in damage daily.
If you are building mobile viruses, it must be very frustrating because you build very sophisticated viruses and yet they don’t go anywhere. That’s the current situation and what social networks and market share–market share being very important–cause. If that changes, we’ll have a major problem.
This problem will become a major problem because an increasing portion of our life is mobile. So many technologies, from emergency calls to everyday activities, rely on mobile devices. In this case, competition and the lack of a predominant operating system protects us.