More consumers are buying smartphones. So more criminals are taking aim at those devices.
Criminals still prefer PCs for stealing personal data, bank and credit card account numbers as well as for running frauds. However, most PC attacks focus on Microsoft Corp.’s decade-old Windows XP operating system, which is slowly being replaced by the more secure Windows 7. Over the next few years, hackers will have to find new targets.
With smartphones outselling PCs for the first time—421 million of the hand-held computers are expected to be sold worldwide this year, according to market analysts at IDC—the long-predicted crime wave on hand-held devices appears to have arrived. According to mobile-security firm Lookout, malware and spyware appeared on nine out of 100 phones it scanned in May, more than twice the 4-in-100 rate in December 2009.
In fact, the most practical rule for protecting yourself is to start thinking of the smartphone as a PC.
Most malicious incidents on mobile devices involve bogus phone or text-message charges or rogue mobile applications, of which there are now more than 500 varieties, according to F-Secure, a Finnish security firm. All these ruses require users to take some kind of action, such as clicking to accept or install a program, so caution while using mobile devices can prevent most problems. (However, experts warn that automated attacks are possible and could emerge in the future.)
Most attacks happen in Eastern Europe and China. An overwhelming number—some 88% according to F-Secure— have singled out devices running Nokia’s Symbian operating system. Symbian is the world’s most commonly used smart phone platform.
Some experts believe Android will become a top target for malware because anyone can create and distribute an app anywhere on the Web. Google does not check apps for security issues, but has instead imposed technical hurdles to thwart malicious activity.
For instance, apps run in a “sandbox”, a closed environment where they cannot affect one another or manipulate device features without user permission. Google removes from its official Android market any apps that break its rules against malicious activity.
Ten attacks have been directed at Android users, including a malicious program called Geinimi that appeared in third-party Android app markets in China in December. This addition to legitimate applications, primarily games, allowed hackers to manipulate text messages, steal contact lists, place calls, visit websites and quietly download files.
The attacks underscore the importance of exercising care when downloading mobile applications.
Users should install apps only from sites they trust. They should research apps to ensure they are not malware. A smartphone is “a microcomputer in your hand, and you can have Trojans and worms and viruses like a PC can”, said Andy Hayter, anti-malcode manager at ICSA Labs, an independent security-testing firm owned by Verizon.
The extra-cautious may also want to use a security product; free and paid products are available for all but the iPhone platform from major security companies such as F-Secure, Symantec and Kaspersky as well as specialized providers like Lookout and DroidSecurity.
Tighter controls on use of third-party software on mobile devices may help explain the limited number of attacks so far, says Mikko Hypponen, chief research officer at F-Secure. For instance, Apple’s more regulated environment has mostly kept trouble at bay.
Attacks that bill cellphones are the most promising way for criminals to make money, Hypponen says. Hackers are figuring this out, as shown by multiple frauds on Facebook asking people to fill out online surveys and provide cellphone numbers, which then receive monthly charges. Check your bills carefully for unusual expenses.
BlackBerrys are rarely attacked because the devices are typically provided and controlled by security-conscious employers, and the phones are not commonly used in countries such as Russia and China, the homes of many malware creators. The most widespread problem seen on BlackBerrys are commercial spyware programs like FlexiSPY, which are secretly installed by someone who wants to track a phone owner’s location, listen to the calls and read text messages and e-mails.
Phishing is also a growing problem on all smartphone platforms. Such attacks, common on PCs, involve text or email messages that appear to be from a trusted party, like a bank, that lead people to bogus websites where they are asked to enter personal data.
Mobile users are three times more likely to fall for these scams than PC users, according to statistics on phishing recently gathered by one security company, Trusteer. The company believes that is because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot. It cautions people not to click on Web links in messages.
Confidential information can also be collected wirelessly if transmitted unencrypted over a public Wi-Fi network. Experts suggest avoiding transactions over airport or cafe networks.
Losing a mobile device and the data inside remains the most likely risk to a smartphone owner. Experts recommend users lock devices with a PIN, so someone who picks it up cannot use it. It is also wise to install apps that can help locate a lost or stolen phone and, if necessary, wipe the data from it.
Apple, Microsoft and RIM provide free apps for their devices, and similar apps are available for Android and other phones from third parties, including F-Secure and Lookout.
A last bit of advice as true for the desktop computer as for the smart phone: Back up the data on your phone to your computer or an online service. That way, you’ll be able to recover quickly, whether your gadget has been lost, stolen or contaminated.
©2011/the New York Times