Your smartphone: a new frontier for hackers

Aug 08, 2011 By JORDAN ROBERTSON , AP Technology Writer
Your smartphone: a new frontier for hackers (AP)
In this Jan. 5, 2011 file photo, a person operates their iPhone in New York. Security experts say attacks on smartphones are growing fast — and attackers are becoming smarter about developing new techniques. (AP Photo/Frank Franklin II, File)

(AP) -- Hackers are out to stymie your smartphone. Last week, security researchers uncovered yet another strain of malicious software aimed at smartphones that run Google's popular Android operating system. The application not only logs details about incoming and outgoing phone calls, it also records those calls.

That came a month after researchers discovered a security hole in Apple Inc.'s iPhones, which prompted the German government to warn Apple about the urgency of the threat.

say attacks on smartphones are growing fast - and attackers are becoming smarter about developing new techniques.

"We're in the experimental stage of mobile where the bad guys are starting to develop their ," said Kevin Mahaffey, co-founder of Lookout Inc., a San Francisco-based maker of software.

Wrong-doers have infected PCs with , or malware, for decades. Now, they are fast moving to smartphones as the devices become a vital part of everyday life.

Some 38 percent of American adults now own an iPhone, BlackBerry or other mobile phone that runs the Android, Windows or operating systems, according to data from Nielsen. That's up from just 6 percent who owned a smartphone in 2007 when the iPhone was released and catalyzed the industry. The smartphone's usefulness, allowing people to organize their digital lives with one device, is also its allure to criminals.

All at once, smartphones have become wallets, email lockboxes, photo albums and Rolodexes. And because owners are directly billed for services bought with smartphones, they open up new angles for financial attacks. The worst programs cause a phone to rack up unwanted service charges, record calls, intercept text messages and even dump emails, photos and other private content directly onto criminals' servers.

Evidence of this hacker invasion is starting to emerge.

- Lookout says it now detects thousands of attempted infections each day on mobile phones running its security software. In January, there were just a few hundred detections a day. The number of detections is nearly doubling every few months. As many as 1 million people were hit by mobile malware in the first half of 2011.

- Inc. has removed about 100 malicious applications from its Android Market app store. One particularly harmful app was downloaded more than 260,000 times before it was removed. Android is the world's most popular smartphone operating software with more than 135 million users worldwide.

- Symantec Corp., the world's biggest security software maker, is also seeing a jump. Last year, the company identified just five examples of malware unique to Android. So far this year, it's seen 19. Of course, that number pales compared with the hundreds of thousands of new strains targeting PCs every year, but experts say it's only a matter of time before criminals catch up.

"Bad guys go where the money is," said Charlie Miller, principal research consultant with the Accuvant Inc. security firm, and a prominent hacker of mobile devices. "As more and more people use phones and keep data on phones, and PCs aren't as relevant, the bad guys are going to follow that. The bad guys are smart. They know when it makes sense to switch."

When it comes to security, smartphones share a problem with PCs: Infections are typically the responsibility of the user to fix, if the problem is discovered at all.

The emergence in early July of a previously unknown in Apple Inc.'s iPhones and iPads cast a spotlight on mobile security. Users downloaded a program that allowed them to run unauthorized programs on their devices. But the program could also be used to help criminals co-opt iPhones. Apple has since issued a fix.

It was the second time this year that the iPhone's security was called into question. In April the company changed its handling of location data after a privacy outcry that landed an executive in front of Congress. Researchers had discovered that iPhones stored the data for a year or more in unencrypted form, making them vulnerable to hacking. Apple CEO Steve Jobs emerged from medical leave to personally address the issue.

The iPhone gets outsize attention because it basically invented the consumer smartphone industry when it was introduced in 2007. But Apple doesn't license its software to other phone manufacturers. Google gives Android to phone makers for free. So, Android phones are growing faster. As a result, Google's Android Market is a crucial pathway for hacking attacks. The app store is a lightly curated online bazaar for applications that, unlike Apple's App Store, doesn't require that developers submit their programs for pre-approval.

Lookout says it has seen more unique strains of Android malware in the past month than it did in all of last year. One strain seen earlier this year, called DroidDream, was downloaded more than 260,000 times before Google removed it, though additional variants keep appearing.

Lookout says about 100 apps have been removed from the Android Market so far, a figure Google didn't dispute.

Malicious applications often masquerade as legitimate ones, such as games, calculators or pornographic photos and videos. They can appear in advertising links inside other applications. Their moneymaking schemes include new approaches that are impossible on PCs.

One recent malicious app secretly subscribed victims up to a service that sends quizzes via text message. The pay service was charged to the victims' phone bills, which is presumably how the criminals got paid. They may have created the service or been hired by the creator to sign people up. Since malware can intercept text messages, it's likely the victims never saw the messages - just the charges.

A different piece of malware logs a person's incoming text messages and replies to them with spam and malicious links. Most mobile malware, however, keep their intentions hidden. Some apps set up a connection between the phone and a server under a criminal's control, which is used to send instructions.

Google points out that Android security features are designed to limit the interaction between applications and a user's data, and developers can be blocked. Users also are guilty of blithely click through warnings about what personal information an application will access.

Malicious programs for the iPhone have been rare. In large part, that's because Apple requires that it examine each application before it goes online. Still, the recent security incidents underline the threat even to the most seemingly secure devices.

A pair of computer worms targeting the iPhone appeared in 2009. Both affected only iPhones that were modified, or "jailbroken," to run unauthorized programs.

And Apple has dealt with legitimate applications that overreached and collected more personal data than they should have, which led to the Cupertino, Calif.-based company demanding changes.

"Apple takes security very seriously," spokeswoman Natalie Kerris said in July. "We have a very thorough approval process and review every app. We also check the identities of every developer and if we ever find anything malicious, the developer will be removed from the Developer Program and their apps can be removed from the App Store."

A criminal doesn't even need to tailor his attacks to a mobile phone. Standard email-based "phishing" attacks - tricking people into visiting sites that look legitimate - work well on mobile users. In fact, mobile users can be more susceptible to phishing attacks than PC users.

The small screens make it hard to see the full Internet address of a site you're visiting, and websites and mobile applications working in tandem train users to perform the risky behavior of entering passwords after following links, new research from the University of California at Berkeley has found.

The study found that the links within applications could be convincingly imitated, according to the authors, Adrienne Porter Felt, a Ph.D. student, and David Wagner, a computer science professor.

They found that "attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated."

A separate study released earlier this year by Trusteer, a Boston-based software and services firm focused on banking security, found that mobile users who visit phishing sites are three times more likely to submit their usernames and passwords than desktop PC users.

Mobile users are "always on" and respond to emails faster, in the first few hours before phishing sites are taken down, and email formats make it hard to tell who's sending a message, Trusteer found.

Still, mobile users have an inherent advantage over PC users: Mobile software is being written with the benefit of decades of perspective on the flaws that have made PCs insecure. But demand is exploding, with market research firm IDC predicting that some 472 million smartphones will be shipped this year, compared with 362 million PCs. As a result, the design deterrents aren't likely to be enough to keep crooks away from the trough.

"It's going to be a problem," Miller said. "Everywhere people have gone, bad guys have followed."

Explore further: Gift Guide: Strong photo, video gear options

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Malicious programmers focus on smartphones, tablets

May 04, 2011

Malicious programmers are always looking for new targets. While smartphones and tablets replace PCs as the gadgets we use for messaging, Web surfing and even doing business, some shady characters are starting to target these ...

How Secure are iPhone and Android Apps

Apr 01, 2010

(PhysOrg.com) -- Today's smartphones are pocket size computers that can be customized by downloading applications. This is what makes a smartphone vulnerable to cybercriminals. In this article we will examine ...

Smartphones tempting new targets for hackers

Jul 30, 2010

Software security experts warn that mobile phones are tempting targets for hackers in a world where people eagerly invite strange applications onto handsets packed with personal data.

Recommended for you

Ear-check via phone can ease path to diagnosis

Dec 18, 2014

Ear infections are common in babies and young children. That it is a frequent reason for young children's visit to doctors comes as no consolation for the parents of babies tugging at their ears and crying ...

Gift Guide: Home products come with connectivity

Dec 18, 2014

Do you really need an app to tell you to brush and floss? It seems every household appliance is getting some smarts these days, meaning some connection to a phone app and the broader Internet. But then what?

BlackBerry launches Classic in last-ditch effort

Dec 17, 2014

(AP)—BlackBerry is returning to its roots with a new phone that features a traditional keyboard at a time when rival Apple and Android phones—and most smartphone customers—have embraced touch screens.

Tag Heuer changes tune, now looking at smartwatches

Dec 16, 2014

Barely a few months after dismissing Apple's smartwatch, the new chief executive of luxury Swiss watchmaker Tag Heuer conceded Tuesday that such a hi-tech gadget might after all have a place in his firm's ...

User comments : 8

Adjust slider to filter visible comments by rank

Display comments: newest first

MarkyMark
1.8 / 5 (4) Aug 08, 2011
This is why the Androids application market thats free and open to all is so much better than the restricted closed Apple system. As users of Android get to enjoy the wide and varied ways hackers can access your information, and they even do this for free!!! Now thats a bargain.

CreepyD
5 / 5 (4) Aug 08, 2011
Not quite sure how it can happen, it only takes a quick 2 second look at reviews and such, it's as easy as pie to tell an app that's a fake unless you're the first to download it I guess.
CSharpner
5 / 5 (2) Aug 08, 2011
Not quite sure how it can happen, it only takes a quick 2 second look at reviews and such, it's as easy as pie to tell an app that's a fake unless you're the first to download it I guess.

Yep. Android refuses to let an app install until the OS displays the list of items the application is requesting access to. The user can tap "Install" or "Cancel". All it takes is a couple seconds. It's your phone and your data. It's YOUR responsibility to allow or deny these security requests.

"Better" is a subjective term. As with most technology, it depends on your individual needs and expertise. If you've got the intelligence to know whether or not it's OK for an app to "send or receive SMS text messages" or "Make phone calls" or "read your contact data", then you're smart enough to use an Android (hint: everyone is smart enough).

If you'd rather not be bothered with it and trust someone else to make those decisions for you, iPhone is a good choice. To each his own. Please, no fanboism!
CSharpner
3.7 / 5 (3) Aug 08, 2011
Addendum: iPhone is a fine user platform. I have no qualms with anyone choosing that. My personal preference is Android simply because it fits my preferences better. If my circumstances were different, I might choose otherwise. There's no reason for anyone to get angry and start a platform fanboism flame war here. If you love your platform and hate all others, that's fine, just understand: nobody else cares, so please keep it to yourself.
Ricochet
1 / 5 (1) Aug 08, 2011
Yeah, yeah, Csharpie... We understood in the 1st post. Now, I must ask... what's wrong with a good flame war every now and then, especially when it comes to the (relatively) latest technologies to hit the markets?

Now, to correct these statements of hyper-PCism (that's political correctness, not personal computer), here's my opinion...

iPhone is good for people that also like to drive cars and not know how they work.. at all. Like, not even curious. Android's good for people that like do their own car repairs, or at least watch the mechanic do his thing. Here's a good test for those that are unsure:
Open the hood of your car. Look over everything in that engine compartment. Now, if you feel a desire to learn at least a little bit it all, get an Android. If you either could care less about it, or get intimidated by all of it and slam the hood down, comforted that there's other that can do that mechanicky stuff for you, get an iPhone.

I hope that helps.
CSharpner
not rated yet Aug 08, 2011
johnyboy (physorg.com/profile/user/jonnyboy), thanks for the 5 on my first post, but do you mind if I ask why the 1 vote on the 2nd?
MarkyMark
not rated yet Aug 09, 2011
I do agree the iphone is very much a plug and play type of phone (as in you just switch it on and need little technical knowhow to use it), which is a good thing! Afterall how many people buy a phone thats easy to use fully and how many buy a phone expecting a lot of technical know how will be needed to do more than just make a call, text etc? Also i was not saying in my first post that Androids were bad just not as secure for the average user due to the open nature of its app system.

Also saying iphone users are ' simple ' in there ways is just elitest trolling and you know it Richochet!
Ricochet
not rated yet Aug 09, 2011
You know as well as I do that starting wars is a very prestigous line of work, and one that should be taken with pride.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.