The Security Threat in Your Pocket

Researchers are clamoring that this is the year you must deal with mobile security or get hit by phishing and malware attacks on the devices in your employee's pocket.

One by one, Adam Schafer, a system engineer at Bluefire, demonstrated the attacks, rendering the smartphone in front of him defenseless.

In the first, he modified the home page of the device and added a favorite to Pocket Internet Explorer; in the second malware copied and forwarded SMS messages received on the device to a Web server he controlled transparently to the smartphone users. The third attack launched a Web browser and sent it to a specific Web page with a remote control command sent via SMS. The final attack accessed the device remotely and copied and deleted word documents.

There are numerous ways to install code onto the device, from e-mail attachments, malware attached to another application or executable such as ring tones and phishing attacks, said Mark Komisky, CEO of Bluefire.

Security pros are predicting users can expect these attacks and more in 2008. Twice in roughly the past week, security researchers at McAfee found mobile malware targeting users in China - the first time threatening Windows Mobile devices, while the most recently attack targeted Symbian Series 60 phones.

"There is definitely a high probability that hackers will increasingly target smartphones this year," said Paul Miller, managing director of mobile security at Symantec. "[We] called out mobile malware in the coming years for several reasons: one, the increase in users; two, more users connecting to the Internet...three, a nonchalant user attitude regarding abnormal events like rogue connection attempts; and four, phones becoming payment tokens. All of this valuable data plus a false sense of user invincibility spells opportunity for commercially motivated attacks."

More Smartphones than Laptops

Last year was a watershed year for the mobile industry, with smartphones out-shipping laptops and equaling roughly half of the PCs in use, Miller said. Analysts at Gartner forecasted in a report in January that smartphones sales for 2008 will reach about 173 million units, an increase of 42 percent from 2007. The demand for more capabilities has risen right along with smartphones as more users look to connect to the Internet and store and access sensitive data on the devices.

Though the biggest for smartphone users is still the physical loss of the device, users still have to be wary of phishing, said John Pescatore, a security analyst at Gartner.

"I think the biggest forms of attack against smartphones in 2008 will be phishing-type attacks - you get an SMS message or e-mail with a link, clink and you are brought to a malware site that will try to capture your password or login info," he said. "Actual malware coming to your phone will still be a limited threat this year."

In the case of the malware McAfee uncovered last week targeting the Windows Mobile platform, the malware was packed inside a number of legitimate installation files, such as Google Maps, applications for stock trading and various games. The second is a Trojan that sends out a message when downloaded telling the compromised user to send money to a QQ account to regain usage of the phone, according to McAfee. QQ is a popular instant-messaging network in China .

Smartphone users need to be very suspicious of where an e-mail is really coming from, and they should never launch executables directly from e-mail or SMS messages, Pescatore said. "Pretty much the same advice we give for PC users."

In the end, smartphone security will mean taking some of the same security lessons from PCs and applying them to the computers people now carry in their pockets, Komisky agreed.

"As mobile devices become more capable and allow access to traditional Web sites and applications, those devices and the data stored on them become vulnerable to the same security risks as notebooks," he said. "But without similar protections, like firewalls and anti-malware, hackers have a much better shot at accessing a mobile bank account or stealing personal data."