San Jose Mercury News
You've been battling malware — viruses, worms, spyware and the like — on your PC for years.
Is your phone the next battleground?
Security experts think it could be, particularly if it's a smartphone, a handset that has a full operating system and can run applications much like a desktop computer. The more that phones can perform the same functions as PCs, the greater the chance they will have similar vulnerabilities, experts say.
“I'd put it in the looming threat category,” said Natalie Lambert, a senior analyst who covers mobile security issues for Forrester, a technology research firm. “There's huge potential.”
But experts caution that consumers should put that potential threat in perspective. Other security issues — such as simply losing a phone — are arguably of more concern to mobile phone users today.
“It's still very early in the game,” said Chris Hazelton, director of mobile and wireless research at the 451 Group, a technology research firm.
Still, phones are indeed vulnerable to the same types of security threats that face PCs. Security experts have so far identified about 500 viruses or other types of malware or security vulnerabilities that target mobile phones.
Perhaps the best known handset virus is Commwarrior-A, a piece of malware identified in 2005 that spread to phones using the then-current version of the Symbian operating system via text messages. But the number of pieces of mobile malware detected since then has grown steadily.
Analysts say there all kinds of ways that mobile malware could make mischief. Hackers have already induced phones to exchange text messages with rogue operators that charge a high per-message fee. Security experts worry hackers could soon use the GPS feature built into many phones to track the location of their owners.
And experts are alarmed that a new generation of spyware dubbed “snoopware” could eventually be used to turn on the microphone or camera on a phone, allowing a hacker to listen in on phone owners' conversations or see their surroundings.
The overall threat of mobile malware is growing in part because smartphones are becoming more widespread. The devices comprise one of the fastest-growing segments of the mobile phone market and now account for about 12 percent of all phones sold each year.
The threat is also increasing as the devices have become more powerful and users take advantage of their new capabilities. For example, owners of the iPhone, one of the first phones to have a full-fledged Web browser, are much more likely to surf the Web on the device than other smartphone users, according to data from comScore M:Metrics, a market research firm.
That capability could make users of the iPhone and other phones with advanced browsers susceptible to the same attacks that plague consumers who access the Internet from their PCs, analysts say.
Other analysts see the threat growing because of the increased ease with which mobile users can download and install applications to their phones. Apple's iTunes App Store paved the way in that regard, but Google promises to place even fewer controls on the applications for its new Android platform.
“Whenever you create openness, that's good for innovation,” said Jan Volzke, head of global marketing and mobile security for security software maker McAfee. “But people need to understand that (malicious) hacks are also innovations.”
To be sure, malware is nowhere near as big a problem on mobile phones as it is on PCs. Compared with the 500 viruses and the like for mobile phones, there are some 1 million pieces of malware that have been identified on the PC.
And the PC will probably continue to be a bigger target for ne'er-do-wells, analysts say. There are far fewer smartphones in use today than PCs. And no mobile operating system has the same dominant share as Microsoft's Windows does on PCs. That makes it harder for a virus to spread, because different operating systems have different vulnerabilities.
There's also the financial issue. “It's not that (hackers) can't break” into mobile phones, Volzke said. It's that for hackers looking to use malware to profit from unwitting consumers, “It's so much easier to make money on the PC side than on mobile side.”
For mobile phone users, “That's the No. 1 protection that we have today,” he added.
But mobile phone software and hardware makers have also become sensitive to security concerns. After the Commwarrior virus, for example, Symbian beefed up the protections in its operating system through the use of so-called digital signatures for authorized software. Such signatures can limit the access of applications to particular phone functions and greatly confine the access of unsigned programs to any phone features.
Similarly, security providers such as McAfee have been working with mobile carriers to filter potentially malicious data passing through their networks and with device makers to build security features into mobile phones.
However, much of the job of protecting phones from malware will fall on their actual users, analysts say. But some smartphone owners say they are unaware of or untroubled by the problem.
Before Susie Wyshak founded San Francisco-based SuperViva.com, which helps users create lists of life goals, she worked for security software maker Zone Labs. Despite that experience — and the worries she has about the sensitive data on her BlackBerry Curve phone — she's done nothing to make it more secure.
“I have not given enough thought to the implications of what I do on my mobile phone,” Wyshak said. “I'm in ‘ignorance is bliss' mode.”
“Consumers and businesses need to realize that smartphones are essentially mini-computers and should be protected like one,” said Khoi Nguyen, group product manager at Symantec's mobile security division.
HOW TO PROTECT YOURSELF
Experts' tips on keeping your phone safe from mobile malware:
— Turn off Bluetooth when you're not using a wireless headset because the same technology can be used to transfer data from one device to another.
— Similarly, be wary of the applications you install on your phone, making sure they come from trusted sources and, if applicable, with digital signatures certifying their authenticity.
— As PC users have learned the hard way, beware of opening attachments whether sent through e-mail or via text messages.
— Finally, look into anti-virus software, which is typically available for Symbian and Windows Mobile phones.