Just in time for this week’s 2011 Black Hat security conference in Las Vegas, Lookout Mobile Security is sharing some disturbing trends in smartphone security.
In January, Lookout was finding hundreds of malware detections a day – now that figure is in the thousands each day. Says Lookout co-founder and CTO Kevin Mahaffey: “It’s been an interesting six months in 2011 so far.”
Based on Lookout’s Mobile Threat Report, Android users are two and a half times more likely to encounter malware today than they were six months ago. Lookout estimates between a half million and 1 million users were affected by mobile malware the first half of 2011.
Three out of 10 smartphone users are likely to encounter an unsafe website over the course of the next year, whether it be accessed by browsing, email, Facebook, Twitter, SMS or something else. If that’s not enough to raise an eyebrow or two, the number of unique apps with malware grew from about 80 to 400 the first half of this year.
Discovered in June, GGTracker is the first known Android malware that specifically targets U.S.-based Android users, signing up users for premium text message subscription services without their knowledge. Mahaffey says these types of attacks used to mainly target Android users in China, Russia and Eastern Europe.
One popular distribution method involves repackaging, whereby the malware writer takes a legitimate app, injects malware into it and republishes it. A person could download a legitimate app, then get notified that an update is available, and the malware is hidden in the updated version.
Malware writers also are using new techniques, like “Malvertising,” whereby they use mobile ads to direct users to a malicious website that triggers an automatic download of malware.
On the PC, people are trained when they get an email from what they think is a trusted source to look at the address bar to see the domain name, but on a mobile device, it’s really small or the address bar is hidden from view, so they’re not necessarily as vigilant. “The behavior is not that different, but people need to think of their phones as a PC, engage in more positive behavior,” he says.
Lookout works with mobile operators to let them know what’s out there and ways they can thwart the bad stuff, and it also works with Google when it comes to addressable mischief going on with Android Market content.
“At the end of the day, it’s all very clever,” Mahaffey says. Reticent to use the term “industry,” he says the malware writers are experimenting with ways to make money on mobile. “We’re seeing new things almost every month or so,” he says, and once malware writers figure out a way to crack the nut on monetization, that will lead to more growth as an “industry,” if you will.
Things get more serious when considering mobile payments and mobile banking. So, time to leave those mobile transactions behind? Not quite. “I think people should be vigilant, but they shouldn’t be scared,” he says. Consumers can take steps to protect themselves, including downloading Lookout’s app for Android that scans for malware and identifies phishing and malicious sites. “Our goal is to make people confident,” he says, adding that he believes using mobile phones for payments can be safer than using plastic cards.
He advises consumers think of their smartphone as a PC and make sure to download apps from trusted sources and look at the developer name, reviews and star ratings. Consumers also should pay close attention to the address to make sure it matches the site it claims to be and be alert for unusual behavior on a phone, like strange charges to the phone bill and suddenly shortened battery life.
