Your smartphone: a new frontier for hackers

Associated Press Modified: August 7, 2011 at 8:00 am •  Published: August 7, 2011

Lookout says it has seen more unique strains of Android malware in the past month than it did in all of last year. One strain seen earlier this year, called DroidDream, was downloaded more than 260,000 times before Google removed it, though additional variants keep appearing.

Lookout says about 100 apps have been removed from the Android Market so far, a figure Google didn't dispute.

Malicious applications often masquerade as legitimate ones, such as games, calculators or pornographic photos and videos. They can appear in advertising links inside other applications. Their moneymaking schemes include new approaches that are impossible on PCs.

One recent malicious app secretly subscribed victims up to a service that sends quizzes via text message. The pay service was charged to the victims' phone bills, which is presumably how the criminals got paid. They may have created the service or been hired by the creator to sign people up. Since malware can intercept text messages, it's likely the victims never saw the messages — just the charges.

A different piece of malware logs a person's incoming text messages and replies to them with spam and malicious links. Most mobile malware, however, keep their intentions hidden. Some apps set up a connection between the phone and a server under a criminal's control, which is used to send instructions.

Google points out that Android security features are designed to limit the interaction between applications and a user's data, and developers can be blocked. Users also are guilty of blithely click through warnings about what personal information an application will access.

Malicious programs for the iPhone have been rare. In large part, that's because Apple requires that it examine each application before it goes online. Still, the recent security incidents underline the threat even to the most seemingly secure devices.

A pair of computer worms targeting the iPhone appeared in 2009. Both affected only iPhones that were modified, or "jailbroken," to run unauthorized programs.

And Apple has dealt with legitimate applications that overreached and collected more personal data than they should have, which led to the Cupertino, Calif.-based company demanding changes.

"Apple takes security very seriously," spokeswoman Natalie Kerris said in July. "We have a very thorough approval process and review every app. We also check the identities of every developer and if we ever find anything malicious, the developer will be removed from the iPhone Developer Program and their apps can be removed from the App Store."

A criminal doesn't even need to tailor his attacks to a mobile phone. Standard email-based "phishing" attacks — tricking people into visiting sites that look legitimate — work well on mobile users. In fact, mobile users can be more susceptible to phishing attacks than PC users.

The small screens make it hard to see the full Internet address of a site you're visiting, and websites and mobile applications working in tandem train users to perform the risky behavior of entering passwords after following links, new research from the University of California at Berkeley has found.

The study found that the links within applications could be convincingly imitated, according to the authors, Adrienne Porter Felt, a Ph.D. student, and David Wagner, a computer science professor.

They found that "attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated."

A separate study released earlier this year by Trusteer, a Boston-based software and services firm focused on banking security, found that mobile users who visit phishing sites are three times more likely to submit their usernames and passwords than desktop PC users.

Mobile users are "always on" and respond to emails faster, in the first few hours before phishing sites are taken down, and email formats make it hard to tell who's sending a message, Trusteer found.

Still, mobile users have an inherent advantage over PC users: Mobile software is being written with the benefit of decades of perspective on the flaws that have made PCs insecure. But smartphone demand is exploding, with market research firm IDC predicting that some 472 million smartphones will be shipped this year, compared with 362 million PCs. As a result, the design deterrents aren't likely to be enough to keep crooks away from the trough.

"It's going to be a problem," Miller said. "Everywhere people have gone, bad guys have followed."