Mobile app security provider Lookout released a sobering report yesterday on the state of mobile phone malware attacks. The study, which analyzed data from more than 700 thousand apps and 10 million devices worldwide, found that the number of malware-infected Android apps has risen from 80 in January, 2011 to over 400 in June. And malware attacks across all platforms are increasing in their level of sophistication.
Lookout estimates that between a half million and one million users were affected by mobile malware in the first half of 2011. That's a small number against the hundreds of millions of smartphones in use. Yet, web-based threats which operate across platforms, such as phishing attacks, are a significant risk for mobile devices since people are far less likely to have security software to identify these risks than on their PCs — and Lookout's study indicates that three out of ten mobile users are likely to click on an unsafe link over the course of the year.
Some of the methods scammers use on mobile device are similar to attacks against PCs. In addition to phishing, drive-by-downloads are being used to automatically start downloading malware when a user visits a site. Scammers use in-app advertising to drive users to these sites, some of which are designed to mimic the Android Market. With Android, the browser can't actually install the downloaded app without permission from the user, so it is important for consumers to be wary of unexpected app installation requests. Scammers have also taken to repackaging legitimate apps with malicious code and then offering them on unofficial app sites and even in the Android Market.
Other means of attack are unique to smartphones. Update attacks occur when scammers create a legitimate app in the Android market to attract a lot of users, and then release an update that contains malware. Since many users update their apps without much thought, either manually or automatically, scammers can hit a large group before the malware is detected.
The risks to users from mobile malware includes both information theft — from your address book, email and voice calls — and monetary damages. The GGTracker malware, which specifically targets U.S.-based Android phone through a drive-by-download, signs users up for a $10 text message subscription service that is charges to your phone bill.
Due to the open nature of the Android Market, the ability to install apps from third-party sources and the fragmentation of handset manufacturers that can delay security updates for months (if ever, on some devices), Android phones are the target of choice for scammers. Users can stay safe by only downloading apps from trusted sources — e.g., the official Android Market or the Amazon App Store — and paying close attention to the information access the app is requesting on install. If the app is trying to access information on your phone that seems unnecessary for its operation, don't install it. Similarly, only allow automatic updating for apps you truly trust, and pay close attention to any changes in permissions for other apps before you update.
Mobile security software products for Android, Windows Phone 7 and BlackBerry are available, such as Lookout Mobile Security (from the producers of the study), Trend Micro Mobile Security and Norton Mobile Security. It is hard to evaluate individual product effectiveness due to a lack of third-party studies, but given the increasing rate of malware issues, downloading at least the free version of one of these products is a wise idea.
iPhone users are better protected from malicious apps because of the curated nature of the Apple App Store, but Apple users who jailbreak their phones to load apps from outside the "walled garden" face risks. And the same technology that allows users to jailbreak their iPhones could be used in a future malware attack against all iPhone users.
Another vulnerability for Apple is that security updates to iOS require users to sync their iPhone with iTunes. Studies have shown that up to 50% of iPhone users do not regularly sync their phones, thus leaving themselves vulnerable. iOS 5, coming this fall, will finally allow over-the-air updates to resolve this issue, though users will still need to sync to update to iOS 5 first. And iPhone users can fall prey to the same phishing scams that affect every smartphone or PC user, so never enter user names or passwords on a site unless you are sure it is the real thing (if you're at all uncertain, go directly to the site by typing in the url yourself).