Threats, vulnerabilities, Trojans, phishing sites – the language of PC virus warfare is this year increasingly being applied to mobile devices.
A series of reports from security companies suggest a surge in mobile malware. Juniper Networks said Google Android malware samples grew 400 per cent between June 2010 and January 2011, while Lookout Mobile Security reported users were two and a half times more likely to encounter malware on their mobile devices in July this year than they had been in January.
Kevin Mahaffey, chief technology officer and co-founder of Lookout, says 2011 represents the start-up phase for malware “entrepreneurs” developing a business model.
“Every new piece of malware we are seeing is experimenting with methods of distribution – how do you get the malware to people in the first place – and with monetisation – how do you make money as a malware author?” he says.
Distribution is proving easiest in the Android ecosystem.
John Dasher, McAfee senior director of mobile security, says: “Apple has a walled garden, with its curating of apps for its App Store, so it’s had far fewer instances of malware, but Android is far more porous.”
“There are more than a dozen apps sites, it’s very easy to download apps and ‘sideload’ apps on to a device, and so it’s far easier for a hacker to get an app published that contains malware.”
The easiest way to infect a smartphone is free games or apps that look similar to well known ones, confusing users into downloading and giving the authors the permissions they need to carry out their underhand tasks.
Malvertising – ads within apps – are also becoming popular. GGTracker poses as a free battery-saver app. Clicking on this takes the user to a fake version of Google’s Android Market to download and install the app, which charges premium text messaging fees to that phone.
A more dangerous kind of monetisation spread to Android this year from Symbian, Windows Mobile and BlackBerry smartphones in the shape of Zitmo, a supposed banking authorisation app. It can intercept text messages often sent by banks that provide one-time passwords to help users access accounts and transfer money.
Despite such alarming threats, security experts say the mobile malware problem is minor, compared with the viral warfare raging in the PC world.
“The percentage increases we’re seeing are from a tiny base,” says Ed Amoroso, AT&T chief security officer.
“Most malware continues to reside on the PC – it’s easy pickings there – it’s not administered and it’s on a big fat broadband pipe.”
He says mobile security experts cannot count on learning from their PC counterparts either, with computer security now “in a pretty abysmal state”.
With mobile threats still low, mobile security companies are bundling their anti-malware protection with other services to make them more appealing.
“It’s a conundrum – how do you get people to adopt a product without selling through fear [that they may face virus attacks],” asks Lookout’s Mr Mahaffey.
That is why his company includes useful security utilities such as the ability to locate lost smartphones and remotely lock or wipe them.
The always-on location-aware nature of smartphones makes this possible and their activity on the network means they can easily be monitored for unusual behaviour by mobile operators.
AT&T has 40 researchers working in the field of behavioural analysis to spot malware, rather than relying on the traditional PC-like databases scanned to identify viruses by their software signatures – the fingerprints of their code.
McAfee, acquired by the chipmaker Intel this year, is working on embedding security into the hardware.
“For years, security software has lived above the operating system layer, but the goal is to put security lower in the stack where it can’t be tampered with,” says Mr Dasher.
Juniper, whose Junos Pulse Mobile Security Suite is used by AT&T and others, advocates a holistic approach of network operators monitoring and blocking threats as well as protection on the smartphone itself.
“There is the need to scan apps as they are being downloaded. Firewalls have to be set up and finally the user has to be educated about threats and safe practices,” says Karim Toubba, Juniper vice-president of security and strategy.
3LM, founded by two former members of the Google Android team, last month launched an enterprise security suite for Android that hooks directly into the operating system and gives IT departments a management console to ensure employees’ phones are secure.
Tom Moss, chief executive and co-founder, says this is the first of next-generation anti-malware products that should arrive in the next year – just in time.
“Now Google is introducing things such as NFC [mobile payment] chips in addition to other services that have financial components, it just makes Android a bigger target for the ‘black hats’,” he says.
“Google will take action against them, but there’s also going to be a very healthy and robust third-party developer community coming along with security solutions as well.”