Cybersecurity analysts say nefarious forces are increasingly turning their attention to the most personal computer you own, the one you carry everywhere and trust with some of your most sensitive secrets – your smartphone.
“Over the last two years or so, we have seen a huge influx” in the number of hackers targeting smartphones, says Roel Schouwenberg, principal security researcher for Kaspersky Labs, a well-known anti-virus firm.
Because these devices carry so much of our personal and financial information nowadays – to the point where many of us treat them like digital wallets – hackers are finding ways to gain unauthorized access to them.
Most phones have little in the way of security and anti-malware protection. Given the right opportunity, malware creators can breach our email and contacts lists, monitor highly personal communications and capture vital data such as the password we type into our mobile banking app.
Tony Anscombe, senior security evangelist for anti-virus provider AVG Technologies, says that one of the most vulnerable aspects is text messaging — also known as SMS, or short message service.
A hacker will send you an unsolicited text under a seemingly legitimate pretense – like a notice from your bank – that may contain a link that if clicked, could download a virus onto your phone.
“We’re conditioned, as grown-ups on the internet, to look at our [email] inbox and weed out spam,” says Anscombe. “Are we conditioned in the same way to look at our SMS as we get text messages?”
It’s a rhetorical question — Anscombe says that for the most part, consumers are unaware that we are living in an age of increasing cyber-aggression.
Cyber threat getting ‘exponentially worse’
The threat to computing devices overall is getting “exponentially worse,” says Sean Forkan, vice-president and general manager for web security company Symantec Canada.
Forkan says that between 1991 – the year of the Michelangelo computer virus – and 2011, Symantec identified about 200 million different virus definitions. In comparison, the company found upwards of 200 million in 2012 alone.
“So in a single year, we saw more unique variants of viruses out there than all the [previous] years combined,” Forkan says. “And we expect that to continue this year.”
Forkan’s company is in the business of selling anti-virus software, but he’s not the only one sounding the alarm. Mikko Hypponen, the renowned security expert and columnist, has been warning of this trend since at least 2006, when he published an article in Scientific American called “Malware Goes Mobile.”
While desktop and laptop computers remain the greatest targets for malware creators, Anscombe says hackers have recently set their sights on smartphones – especially ones running the Android operating system.
He says that to ensure the greatest success, hackers zero in on the most ubiquitous platforms. According to reports by both IDC and Strategy Analytics, Android phones – such as those manufactured by Samsung, LG and HDC – had an 81 per cent market share in the third quarter of 2013.
“If you look at the rise of any platform or OS, once you get over a certain percentage of adoption, you start to see it become interesting to cybercriminals,” says Anscombe.
Android phones a favoured target
One of the great selling features of smartphones is the staggering array of apps available for download. But these seemingly innocuous programs can also provide hackers with a pathway into your phone, says Schoewenberg.
Not only does Android have the biggest market share, but it is also seen as easier to hack, he says.
Android apps are not as tightly regulated and can be installed from both the approved Google Play store and the wider internet. Hackers may find ways to introduce malicious code into apps found outside the Google Play store.
“What we see right now is an absolutely vast majority of mobile malware is being written for Android,” says Schouwenberg, adding that it’s “pretty close to 100 per cent” of the mobile malware circulating online.
He says Apple’s iOS is more “locked down,” but recent events show that it’s not impenetrable.
On Feb. 21, Apple revealed that it had discovered a security flaw in both its mobile and desktop operating systems that gave hackers the ability to capture personal and financial information users were typing into their web browsers. (The flaw has since been patched.)
Anscombe says one hacking technique is taking a popular app such as Candy Crush Saga, inserting a string of malicious commands into its code and then relisting it on a third-party app site that doesn’t have the same stringent application process as Google Play or the Apple store.
“Somebody young, like a teenager, is going to say, ‘Oh, I have to pay for it in the Google Play store; I’ll just download it from this third-party store,” says Anscombe. “What he’s not realizing is that it’s being wrapped in some sort of malware, and once installed, that malware kicks in and starts doing some damage.”
Hackers aren’t the only ones interested in widely used apps. Documents leaked by National Security Agency whistleblower Edward Snowden show that both the NSA and its British counterpart, GCHQ, have exploited vulnerabilities in the code of apps such as Angry Birds in order to access smartphones.
Lack of awareness
A major problem has been a lack of consumer awareness about the fact that smartphones can be targeted, says Anscombe. Part of that, he says, is a basic misunderstanding of what constitutes malware nowadays.
“A lot of people out there still think malware is the Pac-Man running across the screen, [or] the Blue Screen of Death,” says Anscombe.
He says that most people don’t understand that malware is largely invisible, and that you may have inadvertently downloaded it when you visited an infected web site or accessed a malicious file.
An additional concern, Anscombe says, is that most retailers do little to promote anti-virus software for smartphones.
“The education about the disruptive nature of malware on a desktop and laptop just hasn’t been there in the mobile industry,” says Anscombe. “But that doesn’t mean the malware’s not there.”
Cybersecurity analysts say the biggest hurdle in making handset devices safer is convincing people that they need to consider more than just convenience.
“There’s a whole lot less privacy in the mobile space with your smartphone than there is on your laptop,” Schoewenberg says, “and it is going to be interesting to see if consumers accept that reality.”