More In This Article
Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don’t we have the same security problem with our smartphones and tablets, which are essentially variations on the PC?
Several factors hold back what may someday become serious effort on the part of cyber attackers to infect mobile devices with malware designed to raid apps and commandeer sensitive data. For starters, devices running Apple iOS, Google Android and other mobile operating systems still are not nearly as numerous as PCs, which therefore remain as hackers’ most likely targets. Smartphones and tablets are also, for the most part, better designed than PCs to minimize the potential damage caused by viruses and other problematic programs. In addition, Apple’s tight control over the apps that can be installed on its iPhones and iPads does much to improve the security of those devices.
Of the more than 140 million smartphones in use in the U.S., less than 2 percent have been infected with mobile malware (pdf), says John Marinho, vice president for cyber security and technology at the CTIA, a Washington, D.C., wireless industry trade group.
It is possible, nevertheless, for attackers to break into mobile devices, including the iPhone and those running Android. “I certainly have,” says Charlie Miller, a security engineer at Twitter best known for testing mobile device security as a principal analyst with Independent Security Evaluators. “But it’s much more work than it would be to do the same exact thing against Windows. A rational attacker whose goal is to make money is not going to choose that path.”
Fortunately, most efforts to attack smartphones and tablets to date have been made by researchers experimenting with the security of these devices. The first program written to manipulate mobile phones—dubbed Cabir—surfaced in 2004, three years before the iPhone’s debut. Cabir’s anonymous author sent the virus to security researchers to demonstrate that phones running the mobile Symbian operating system could be infected. Cabir would then copy itself to other mobile phones via Bluetooth, running down the phone’s battery in the process, according to security researcher Mikko Hypponen in the 2006 Scientific American article “Malware Goes Mobile.”
In 2007, Miller and his colleagues at Independent Security Evaluators greeted the iPhone’s release by writing a program that could install itself when an iPhone opened its Safari browser. Once installed, the program enabled an attacker to hijack and steal data stored on an infected iPhone. The following year, when HTC’s T-Mobile G1 Android handset debuted, the researchers discovered this smartphone could likewise be exploited if the user visited a Web page infected with a virus or some other malicious program. Once the attacker took control of the infected smartphone he or she could access saved passwords and any cookies the browser used for accessing different Web sites.
Miller helped develop another method of attack in 2009 that blitzed iPhone or Android-based devices with a deluge of SMS (short message service) text messages, allowing an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).
Dollars and sense
Malice and mayhem aside, cyber criminals usually want to make money from their efforts. These entrepreneurial types are more likely to design a piece of malware to attack a tried-and-true target such as Microsoft’s Windows operating system or Internet Explorer Web browser, causing maximum disruption with minimal effort. Mobile malware is newer, so authoring such an attack could come with a learning curve and less certainty for success, adds Miller, who spent five years with the National Security Agency as a global network exploitation analyst.
Although the number of PCs sold worldwide dipped slightly in 2012 to about 350 million, the sheer number of PCs that have accumulated in offices and homes over the past several decades still dwarfs the world’s population of active smartphones and tablets.
Given the popularity of these mobile devices, however, this equation will inevitably shift and place them at greater risk. Worldwide smartphone sales are expected to reach 1.5 billion units in 2017, more than doubling the 712 million sold in 2012, according to a recent “Mobile & Wireless Communications Report” from information and analytics provider IHS Inc. Smartphones, once seen as a high-end luxury device, will by the end of this year represent the majority of all handsets sold worldwide.
By 2015 more Americans will access the Internet via mobile devices than with PCs or any other type of wireless device, according to the CTIA. (pdf) Other researchers expect tablets alone will outsell PCs by 2015. (pdf)
Cell phones older than the iPhone and Android handsets relied upon simpler operating systems that were difficult to corrupt and hardly worth the effort. More advanced smartphones offer handheld access to Web browsers, e-mail and a number of other exploitable software programs. When the iPhone launched in June 2007, much of Apple’s security strategy centered on restricting the use of third-party apps from running on the phone. (pdf)