No news is good news.

That's the bright takeaway of the state of the threat landscaperegarding mobile malware – defined here as significant enough towarrant attention from financial institutions.

That eliminates the many varieties of nuisance malware that sendpremium SMS and/or dial expensive foreign numbers. That malware hasbeen around as long as there have been apps and, indeed, there arethousands of for-instances.

But aggravating as they are to the victim, this is no big dealto financial institutions, at least not in the sense that Zeus is a very big, multi-million dollar threat.

“We are seeing some significant malware in Europe,” said BillNelson, CEO of the Financial Services Information Sharing andAnalysis Center (FS-ISAC). “Not so much here.”

Nelson did have one big – loud – worry about smartphones (we'llget to it soon) but he was insistent that the malware threat in theUS is more hype than substance.

He specifically pointed to a ransomware app called Svpeng thatseizes control of a victim's phone and demands payment tounlock. That has gotten significant press but, Nelson said,FS-ISAC has not received a single report about an incident in theU.S.

“It hasn't popped up in the real world,” he said.

That absence of a real threat, Nelson suggested, is today's normwhen it comes to smartphone malware in the U.S.

Fact: there is no meaningful iOS (iPhone) malware.

Fact: there is very little meaningful Android malwaredistributed via the official Google Play storefront or the AmazonApp Store.

Fact: there is a thicket of Android malware available via thirdparty sites and, unlike Apple, Google does not limit how Androidapps are distributed.

Any site, anywhere can put up Android apps and, oftentimes, freeversions of premium apps — free because they have been stolen —pack toxic payloads. It may look exactly like a $4.99 game, but ifit is free on a no-name site, you can bet it is tainted.

So far, however, this malware tends to focus on premium SMS orforeign calls, not financial services credentials. Bothersome, yes.But not a threat to credit unions.

Otherwise, safety reigns in app world. For how long? It is onlya matter of time, as cybercriminals adjust to the user shift awayfrom online banking and into mobile banking. Eventually there willbe potent, toxic apps. Just not yet, at least not here.

In some countries there already are mature threats. Mick Tsai ofSan Francisco-based security company Cheetah Mobile said hiscompany has tracked multiple instances of slick spoofs of Koreanbanking apps that, of course, ask users for their logincredentials. They also are able, in some versions, tointercept and respond to authenticating SMS sent to the user'sphone.

Those potential threats are enormous but, note, there are nosuch instances in the U.S. Furthermore, Tsai acknowledged, thespoofed apps were not available via Google Play. Users downloadedthem from third party sites.

Such toxic apps prove that inroads are being made intomobile.

Even so, that is not what presently worries FS-ISAC'sNelson.

What does?

“Phishing in mobile,” he said.

To Nelson, this is the 900-pound gorilla when it comes tosmartphones.

Steve Pao, GM Security Business at Campbell, Calif.-basedBarracuda Networks, elaborated: “Phishing remains a primary concernregarding financial data security. Due to small screens, manymobile web browsers often times hide the address bar making itdifficult to verify the authenticity of URLs that are asking forprivate information.”

With a smartphone, often lighting conditions are notoptimal. Often we are in a rush. Often we aremulti-tasking. Together, that means we are prime for criminalassault with phishes that seek login credentials.

Pao added that his company is seeing a sharp rise in phishesdesigned for mobile channels. He also said he has seen many veryclever phishes that look exactly like Facebook emails.

The cure? Member education and reminders that phishing,increasingly, has shifted to mobile devices.

The next step is brace yourself for a tidal wave of bogus loginswith legitimate credentials harvested via mobile phishes.

That, the experts said, is coming your way. Be ready.