Smartphone security threats are increasing, according to a new Symantec report. The latest edition of the Symantec Internet Security Threat Report is out, which looked at security risks during 2011. As usual, things are getting worse overall, but the threat in the world of mobile computing is still a small side show.
Almost all security vendors note steady increases in mobile malware, as does Symantec. As you can see from the graph below, growth took off in 2011, but the overall numbers are still small.
The types of malware found reveal that criminals appear to be adapting to the new environment. See the graph below:
The two biggest categories of malware spy on the device and the user. The third makes money by sending text messages to premium rate numbers set up by the attacker. When your phone calls or texts these numbers, your account is charged and the owner of the number paid. Typically attackers will charge a small number, perhaps $10, once a month on the theory that you won't notice it. According the Symantec report, the story of one gang earned $1 million/year using this technique. The criminals don't need a huge number of phones to do it.
Most of the remaining threats are more like PC malware. As with other areas of computer crime, mobile hackers move around from one technique to another looking for what will make them money.
Besides making a quick dollar, the more serious threat occurs when criminals use smartphones as a way to hijack data on the network. According to the report, Symantec saw examples of attackers using their control of smart phones to access data on enterprise networks to which they were connected. Indeed, the point of most mobile malware is to steal information. When the attacker has access to company data the threat becomes far more serious. This is the point where BYOD (Bring Your Own Device) becomes a disaster to the company.
Of the 187 million compromised identities found by Symantec in 2011, about 10% (18.5 million) were as a result of a lost device. This is clearly a big number, but it pales in comparison to the identity theft impact of network intrusions of a more conventional sort, such as by compromising a PC on the network.
Lost and stolen devices are a big problem and an up-and-comer, but it's not scalable from the criminal's point of view. You may be able to break into numerous databases and compromise thousands of identities from the comfort of your own home, but stealing a large number of smartphones is hard work. Symantec did a test where they purposely "lost" smartphones running monitoring software and then tracked the phones to see what happened to them. No, people who found the phones didn't look up "home" and call to return it. Instead, the test found that someone looked at private data on 96% of the phones and 50% of the phones were never recovered.
Computer criminals are a surprisingly conservative bunch, and they tend to stick with what they know works. Consumers have been much more adventurous by comparison, rapidly adopting mobile technologies and cloud services. The bad guys are working on these fronts, but it's not mainstream and may not be for some times.