How safe is your smartphone?
Smartphones are getting pretty clever these days but it is unlikely they will outwit the cybercriminals as fraudsters increasingly go mobile.
Last week Android Market, the shop front for applications aimed at Android smartphones, was hit by around 60 malicious apps.
It is thought that they did little real damage other than to Android's reputation, but the incident put the issue of mobile security back in the headlines.
Phones are attractive to criminals because they are essentially mini computers but with some important added extras.
"Phones also have direct access to address books, calendars as well as offering an ability to generate revenue," said Ian Fogg, an analyst with Forrester Research.
The type of personal data typically stored on a phone opens up a rich new vein for the modern fraudster's preferred crime - identity theft.
However, a more immediate income can be made from so-called rogue dialling programs - malicious bits of code capable of placing calls, unbeknown to the owner.
They are, according to Ovum analyst Graham Titterington, the "number one malware threat" to smartphones.
"Rogue dialling connects the phone automatically to a premium number that invariably belongs to a crook based in another country," he explained.
But it is not an insurmountable issue, he thinks.
"I don't understand why the mobile operators can't just cut off payments - then the problem goes away. But this type of international co-operation seems to be lacking at the moment," said Mr Titterington.
The close relationship between smartphones and location poses a risk that malicious apps will be able to track exactly where a person is at any given time.
"It could even be that it would be used to find out when someone is away from home," said Mr Fogg.
While it sounds scary, these nightmare scenarios are very far removed from the real picture, for the moment at least.
"So far there has been no major detrimental impact on consumers," points out Ben Wood, an analyst from CCS Insight.
"There will be a day when there is a catastrophic security lapse and then people will start taking it more seriously," he added.
Android may have hit the headlines but all smartphone operating systems have been targeted by malware of one kind or another.
To date, most iPhone security lapses have focused on offering users the power to break free from Apple's control with software that 'jailbreaks' the iPhone, a modification which enables users to run non-Apple approved software.
TOP FIVE MOBILE MALWARES
- Android - DroidDream - the most recent and most advanced piece of malware hit apps and allowed product ID and userID of phone to be transmitted to remote server
- Android - Market Security Tool - the update sent to wipe rogue Android apps has already been hacked and injected with malware. Being distributed via 3rd party app stores in China.
- Zeus-in-the-mobile - a trojan working with the Windows virus Zeus, affecting Symbian and Blackberry handsets and aiming to steal online banking details.
- Android - Geinimi - similar to the market app attack, it took official apps, added malware and released them via Asian app markets. Could send SMSs, harvest phone data and make phone calls.
- Android - ADRD - another trojan that pirated official Android apps.
- Source: BullGuard
"These hacks are often reported as a good thing but from a security point of view it is a nightmare," said Mr Fogg.
Several bugs have taken advantage of jail-broken phones.
A relatively harmless iPhone worm which changed the handset's wallpaper to a picture of Rick Astley was followed a few months later with a more serious bug that targeted people using their iPhones for internet banking with Dutch online bank ING.
Blackberry handsets and Symbian phones have been targeted by a mobile version of the Zeus trojan. Victims were directed to a fake website where they are invited to download an app which then steals their banking details.
Such phishing attacks are likely to become a huge problem for smartphones, thinks Alex Vaystikh a researcher from security firm RSA.
"You can't always see the whole screen and you might be more likely to click on things you wouldn't click on a computer screen," he said.
And when mobile banking reaches a critical mass, there will be a good reason for criminals to phish from mobiles.
"There needs to be a financial incentive and that incentive isn't there right now, but consumers definitely want more service on their mobiles, like electronic wallets and banking, so the potential is huge," said Mr Vaystikh.
There are various ways to attack a mobile phone but by far the most popular is through downloadable applications.
Some experts think that Android's Marketplace is especially vulnerable because it is more open than Apple and Microsoft's systems.
End Quote Graham Titterington Ovum analyst
We are going to have to see a re-engineering of the infrastructure of how apps are delivered”
"All have restrictions and guidelines and stipulate no pornography, no viruses and no spyware," explained Phillip Dall, from mobile security firm BullGuard.
"But with the iPhone and Ovi store, apps are sent for some pretty serious testing. At Android the process is different, there are far more self-signed applications," he said.
Others think that there are other aspects to Android which make it just as secure, such as its policy of letting users know what data and resources an app will have access to, giving more savvy users the chance to spot obvious malware.
Google has said that it has no current plans to start pre-screening apps on Android Market.
It said that the recent spate of malicious applications could only access device-specific data.
The company did take the step of remotely "killing" them on all affected phones, proving, if nothing else, that it does ultimately have control over its apps.
There is also a question about how long Apple and Microsoft can continue pre-screening their applications, according to Mr Fogg.
"It is becoming an app internet as they become the primary way people go online, but the sheer volume of them makes human moderation impossible," he said.
Apple does not discuss how it tests apps but it is believed to use both human moderation and automated systems.
Mr Titterington thinks that there needs to be an industry-wide sea-change in mobile security.
"There is a need for Apple and Google to put in place a quality framework - a series of standard tests that issue apps with a health certificate," he said.
And it needs to be made less easy for users to install rogue apps.
"We are going to have to see a re-engineering of the infrastructure of how apps are delivered," he added.
"We need a more proactive approach to installing apps. It isn't going to happen in current generation of phones but maybe in the next two to three years."