Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don’t we have the same security problem with our smartphones and tablets, which are essentially variations on the PC?

Several factors hold back what may someday become serious effort on the part of cyber attackers to infect mobile devices with malware designed to raid apps and commandeer sensitive data. For starters, devices running Apple iOS, Google Android and other mobile operating systems still are not nearly as numerous as PCs, which therefore remain as hackers’ most likely targets. Smartphones and tablets are also, for the most part, better designed than PCs to minimize the potential damage caused by viruses and other problematic programs. In addition, Apple’s tight control over the apps that can be installed on its iPhones and iPads does much to improve the security of those devices.

Of the more than 140 million smartphones in use in the U.S., less than 2 percent have been infected with mobile malware (pdf), says John Marinho, vice president for cyber security and technology at the CTIA, a Washington, D.C., wireless industry trade group.

It is possible, nevertheless, for attackers to break into mobile devices, including the iPhone and those running Android. “I certainly have,” says Charlie Miller, a security engineer at Twitter best known for testing mobile device security as a principal analyst with Independent Security Evaluators. “But it’s much more work than it would be to do the same exact thing against Windows. A rational attacker whose goal is to make money is not going to choose that path.”

Not immune
Fortunately, most efforts to attack smartphones and tablets to date have been made by researchers experimenting with the security of these devices. The first program written to manipulate mobile phones—dubbed Cabir—surfaced in 2004, three years before the iPhone’s debut. Cabir’s anonymous author sent the virus to security researchers to demonstrate that phones running the mobile Symbian operating system could be infected. Cabir would then copy itself to other mobile phones via Bluetooth, running down the phone’s battery in the process, according to security researcher Mikko Hypponen in the 2006 Scientific American article “Malware Goes Mobile.”

In 2007, Miller and his colleagues at Independent Security Evaluators greeted the iPhone’s release by writing a program that could install itself when an iPhone opened its Safari browser. Once installed, the program enabled an attacker to hijack and steal data stored on an infected iPhone. The following year, when HTC’s T-Mobile G1 Android handset debuted, the researchers discovered this smartphone could likewise be exploited if the user visited a Web page infected with a virus or some other malicious program. Once the attacker took control of the infected smartphone he or she could access saved passwords and any cookies the browser used for accessing different Web sites.

Miller helped develop another method of attack in 2009 that blitzed iPhone or Android-based devices with a deluge of SMS (short message service) text messages, allowing an intruder to plant a virus on the phone or at the very least cause the phone to shut down (disconnecting calls and Web access in the process).

Dollars and sense
Malice and mayhem aside, cyber criminals usually want to make money from their efforts. These entrepreneurial types are more likely to design a piece of malware to attack a tried-and-true target such as Microsoft’s Windows operating system or Internet Explorer Web browser, causing maximum disruption with minimal effort. Mobile malware is newer, so authoring such an attack could come with a learning curve and less certainty for success, adds Miller, who spent five years with the National Security Agency as a global network exploitation analyst.

Although the number of PCs sold worldwide dipped slightly in 2012 to about 350 million, the sheer number of PCs that have accumulated in offices and homes over the past several decades still dwarfs the world’s population of active smartphones and tablets.

Given the popularity of these mobile devices, however, this equation will inevitably shift and place them at greater risk. Worldwide smartphone sales are expected to reach 1.5 billion units in 2017, more than doubling the 712 million sold in 2012, according to a recent “Mobile & Wireless Communications Report” from information and analytics provider IHS Inc. Smartphones, once seen as a high-end luxury device, will by the end of this year represent the majority of all handsets sold worldwide.

By 2015 more Americans will access the Internet via mobile devices than with PCs or any other type of wireless device, according to the CTIA. (pdf) Other researchers expect tablets alone will outsell PCs by 2015. (pdf)

Layered defense
Cell phones older than the iPhone and Android handsets relied upon simpler operating systems that were difficult to corrupt and hardly worth the effort. More advanced smartphones offer handheld access to Web browsers, e-mail and a number of other exploitable software programs. When the iPhone launched in June 2007, much of Apple’s security strategy centered on restricting the use of third-party apps from running on the phone. (pdf)

Apple has lifted some of its earlier restrictions but maintains a vigorous vetting process for its apps. Developers submitting apps for the company’s App Store must pay $100 annually for a developer’s license and may be subject to additional questions about their identity. Assuming a developer passes that initial screening, his or her app then requires Apple’s approval to appear in its App Store. More likely the company would find and snuff out a malicious app before it had a chance to do any damage, Miller says.

There are fewer barriers, in this context, when targeting PCs. “An attacker [could instead] write Windows malware, and the only thing they really have to worry about is antivirus blocking it,” Miller says. “If Apple figures out what the [malware developer] is up to, the company revokes that person’s developer’s license, and in addition to not successfully infecting any smartphones, they’re out $100. If an attacker has a limited amount of time and money, it makes more sense for them to continue attacking PCs.”

If an attacker opts instead to mimic “drive-by” malware that has been successful in infecting PCs via Web browsing, success is likely to be limited by the way many smartphones and tablets are designed. Apple’s devices, in particular, have several features to keep malware from spreading, Miller says. One such feature Apple has added to more recent versions of iOS—called “sandboxing”—partitions different parts of the mobile device so a problem in one area, such as an attack against the mobile browser, will not spread to the rest of the device. “An attacker would need one vulnerability to get onto the phone and then a second one to break out of the sandbox,” he adds.

The Android way
Despite Apple’s popularity and high profile, more than 470 million Android handsets were sold in 2012. By 2017 this number is expected to grow to more than 1 billion, giving the platform a 67-percent share of the smartphone market, according to research firm Canalys. The researchers project Apple will own about 14 percent of the market in 2017.

“Android is a very secure operating system—if you keep it up to date,” Miller says. “This is not always possible, especially if device makers don’t support the most current versions of the operating system.”

Defensive posture
As people start using their smartphones and tablets instead of their PCs to do online banking and purchasing, mobile devices become more appealing targets for attackers, Miller acknowledges. Likewise if PCs become more secure, attackers are likely to direct their efforts toward mobile.

One of the best protections against mobile malware and attacks is to keep all smartphone and tablet software up to date. It is important to be vigilant and question any app making strange or superfluous requests to access data on your device.  “It’s very easy to write an app for Android, for example, that asks for tons of permissions, such as sending text messages even when the app doesn’t need to do this,” Miller says.

The Electronic Privacy Information Center (EPIC) recently filed a complaint (pdf) with the U.S. Federal Trade Commission over an Android smartphone app conceived by Samsung and Jay-Z to promote the performer’s latest album. The complaint claims, among other things, that Samsung “collected data unnecessary to the functioning of the Magna Carta App.” The app requested permission to access the phone’s call log as well as modify or delete contents of the phone’s USB storage.

Before adding any app, look at the permissions it is requesting. Your device will be much more secure if you resist the urge to install suspicious software.