05:10 PM
Connect Directly
Repost This

Smartphone Malware Multiplies

More than twice the number of malware and spyware hitting BlackBerry, Windows Mobile, and Android phones than six months ago

The number of malware and spyware programs found on smartphones has more than doubled in the past six months -- and some types of malware are more prevalent on certain smartphone platforms than others.

New data gathered from users of a free smartphone security tool shows the bad guys are increasingly going after smartphone users. According to Lookout, which offers a free lightweight mobile client with cloud-based security, backup, and anti-theft features, there were about nine pieces of malware and spyware per 100 smartphones as of last month -- more than twice as many as in November 2009.

Even more worrisome is how rapidly these threats are hitting smartphones in comparison to the desktop: What took 15 years to evolve with the desktop machine is happening practically overnight in mobile handsets, security experts say. "We call this the 1999 factor: It feels like about 10 years ago in terms of prevalence of threats. There was a tipping point between 2000 and 2002 [for PC threats] that was driven by broadband" and more consumers going online, according to John Hering, CEO and founder of Lookout, formerly Flexilis. "The same trends are going to hold true here [with smartphones]."

Tyler Shields, senior security researcher with Veracode, says he has seen a definite uptick in malware arriving for smartphones during the past few months. "It's coming at a much faster rate now. It's difficult to quantify the amount of growth," however, he says. Shields earlier this year developed and released proof-of-concept source code for a spyware app he created that forces a BlackBerry to hand over its contacts and messages. The spyware can also can grab text messages, listen in on the victim, as well as track his physical location via the phone's GPS.

Spyware is the main type of malware Lookout sees being created for BlackBerrys, while Windows Mobile phones suffer more from traditional malware, and Androids from a little of both, according to Lookout's data. "We're seeing a pretty equal spread [of the threats] across these platforms," Lookout's Hering says. The firm doesn't yet support the Apple iPhone in its app, so data on the iPhone isn't included.

Why mostly spyware on the BlackBerry? Veracode's Shields says it might be due to the heavy corporate use of BlackBerrys, which would make any data lifted from them more easily monetized. "The type of data on a BlackBerry generally is going to be corporate-centric and could be of interest to attackers," he says.

A recent malware attack against Windows Mobile phones basically took an existing, legitimate smartphone app and booby-trapped it with malware: The 3D Anti-Terrorist app game for Windows Mobile was rewritten with auto-dialer malware, according to Lookout's Hering. The app basically fires up the auto-dialer malware when the user runs the game. "It sits dormant for hours or days, and then wakes up and calls numbers at a premium rate -- from Somalia to the South Pole," for instance, he says. "The victim is then incurring charges but doesn't notice until [he] receives the phone bill."

A Windows codec and poker app also were hijacked, copied, and repackaged with malware. The apps are being distributed via typical mobile download and app store sites, such as,,, and "We're seeing the same evolution on mobile as on the desktop: It's going from notoriety [purposes] to trying to profit," Hering says.

The malware attack vector being used against smartphones isn't the SMS or email spam that was all the rage in the early days of mobile attacks. Instead, it's following smartphone user behavior trends and exploiting downloadable applications, experts say. "Users are downloading apps at a huge pace," Hering says.

And smartphones are actually more "personal" than PCs. They include GPS location, payment information, email, text messages, and records of who a user communicates with. Hering says today's smartphone malware is all about grabbing personal information and, now, attempting to monetize it. "On the spyware side, you can imagine an app grabbing personal data that you're unaware of [occurring] and transmitting that to a third-party location" where it can be resold, for example, he says.

Meanwhile, enterprises should be aware of the risks of breaches via their smartphone users. "They should be worried about this," Hering says.

But the likelihood of another Operation Aurora-scale targeted attack isn't as likely to hit via the smartphone just yet: "At this point in time, the PC [attack] model is so much easier and faster. I don't foresee that level of coordination to target mobile devices at this point," Veracode's Shields says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web