Assuming the vulnerability level is 1 to 1 (which I very much doubt) it still makes sense to avoid a mono-culture. It allows us to work around any single point of failure and improves the cost/reward structure for exploits.
Ah, but mobile devices are usually hidden behind a providers NAT and nearly all applications that are interactable and could be semi-directly contacted (eg. messaging apps) are written in a managed language, so a spread like we've seen with WCry is less likely to happen.
Having said that, have you seen the amount of malware hiding in advertisements for Android? There's a lot.
Well then, if you're talking phones. The Windows phone is less likely to get a virus than Android phone. Like I said, it's simply a question of popularity - it makes more sense to target a popular OS if you're writing a virus.
Non-Windows systems are also susceptible to zero-days and poor security. However, Linux systems are typically managed by the technically competent, and Macs constitute such a comparatively small share of the consumer market that the economics of an attack against them just don't make sense.
> Macs constitute such a comparatively small share of the consumer market that the economics of an attack against them just don't make sense.
Is this really true though? Wouldn't they, on average, have way more disposable income than the average windows user? I'm thinking something along the lines of the Pareto principle in conjunction with your disposable income being correlated with owning a mac.
Good point -- I suppose that comes down to the real numbers. However, that probably only makes a difference for certain kinds of attack: it's probably not worth botnetting Macs.
There's ransomware, but if it had the same level of impact you would be hearing about it in the news. Except that you are not. What you are hearing about instead is WannaCrypt on Windows, because that has a more significant impact.
The difference is in the delivery method. Android malware gets distributed by 3rd-party (pirated) app stores and apk downloads, where every victim actually had to do something questionable to get infected. There haven't been many reports of malware attacks on Android from doing innocent things like opening emails.
WannaCrypt on the other hand relied on NSA's ETERNALBLUE and DOUBLEPULSAR exploits so that computers sharing a network could get infected without doing anything.
Aside from that, most people would just reset their phone if they got ransomware since most of the important data on a phone is already backed up to the cloud. So there's less of a payout as well.
Federal agencies almost certainly have zero-days against Android, against the Linux kernel, what have you. What's the argument that Windows is inherently more susceptible to attack? I've heard that the kernel is more sophisticated than Unix-style kernels, so I suppose that perhaps the attack surface is higher -- but I've also never heard anything concrete to that effect.
Yes, they accumulate 0days, that's what they do. The NSA for example defines themselves as a "capabilities based organization", which is synonym for just accumulating ways to breaking into systems, whatever it is... hardware, software, cryptoanalysis... you name it.
But the difference is that if a vulnerability was found in Linux, people would quickly get it fixed then get their machines patched for free.
There are many viable alternatives that do not suffer from any of these issues.