Mobile malware took off in 2011. That is when hackers began serious attacks on mobile phones, says David Emm, principal security researcher, at Kaspersky Lab, a cyber security company.
“At that point, the data became worth stealing, and since then growth has been exponential,” Mr Emm says. He estimates 1m new malicious codes were found on devices by 2015. “The actual number of attacks is much bigger than this because each program tends to be used many times.”
Early attacks focused on causing handsets silently to call premium rate numbers. Then hackers diversified into phishing — creating spoof websites that trick people into revealing account numbers and login details.
Phishing still accounts for the overwhelming number of attacks on mobiles, says Mr Emm, although ransomware — locking data and demanding payment for its release — is also big, accounting for 17 per cent of the total across all platforms, according to Kaspersky’s research.
Most phone attacks are on handsets that use the Android operating system because of its large market share and flexible, open technology. Apple’s iPhones use proprietary technology which is more difficult to breach.
“Android is like having a room with lots of doors as opposed to a cave with a single entrance,” Mr Emm says. But Apple is not immune.
In 2015, many app developers unwittingly downloaded a malicious version of Xcode — Apple’s official tool for building apps — from a file-sharing website. Among scores of apps infected were WeChat, a messaging app popular in China, and CamCard, a popular business card reader in the US.
Although Apple vets the apps sold through its app store, the infected programs were not initially detected. They were made available and widely used.
Mobile phone security is challenging because devices are designed to connect in many different ways, says Ben Johnson, chief security strategist at Carbon Black, a security software company. “Whether it is a text message, email, web browsing, Bluetooth or near-field communication (NFC) connectivity, each method of communication is a potential attack route.”
As human interaction is the main purpose of a mobile device, Mr Johnson adds, there are more chances to trick users. “People are much more likely to click on malicious images or videos sent to a mobile phone than to a PC, because it feels more familiar and natural.”
Phones are also often set to connect automatically and display quick preview images, data or text. “This makes it possible to exploit a system without the recipient opening or ‘clicking’ anything,” Mr Johnson says.
Defending against the most serious attacks is difficult, says Ian Evans, a vice-president and managing director at VMware Airwatch. “If the main source of the threat is a nation state agency, you’re best to just throw your phone away.”
However, simple steps can help against more common hackers. You should use a passcode or complex PIN on your device to protect it in case of loss or theft, says Mr Evans. “And it is best to avoid connecting to public WiFi networks. If the WiFi is not encrypted, somebody could intercept data including passwords. If you have to do so, make sure you always use a virtual private network to connect to sensitive resources.”
Also, do not “jailbreak” your mobile devices, he says. This is a process whereby users remove operating system restrictions so that they can customise their phone and download apps not normally allowed. “Jailbreaking negates your warranty and exposes you to more potential malware,” says Keiron Shepherd, senior security specialist at F5 Networks, a cyber security company.
Phones with hardware-based encryption tend to offer stronger protection than software encryption, says Mr Evans. “The encryption key is stored on a chip, which acts like a safe.” But Android handsets continue to lack dependable hardware-based encryption, Mr Evans says.
Sometimes phones are compromised during production, as happened in 2014 when a factory-installed “Trojan horse” was found on the Star N9500 Android smartphone, made in China and sold by companies such as Amazon and eBay. It enabled hackers to operate the phone remotely and, being embedded at the factory, could not be removed.
The next battleground between hackers and phone owners will be biometric data such as thumbprints, iris or voice profile. At present, hackers rarely use biometrics to circumnavigate security because there are many easier paths, says Mr Shepherd. “This is likely to change. The problem is that if your password is discovered you can quickly change it, whereas once biometric data are compromised, that’s it.”
This article has been amended on February 24 to reflect the fact that 1m new malicious codes had been found on mobile devices by 2015, rather than in 2015.