Malware makers target smartphone apps

In early 2009, Citigroup  launched a new mobile banking application for the iPhone. It let customers check their account balances and pay bills while on the go. Thanks to a bit of sloppy code, it also could have let hackers access the banking information for 118,000 customers who downloaded the app.
This story has a happy ending—Citi discovered the security flaw in June, before hackers could exploit it, and the bank says no customer lost money. However, experts say hackers may be quicker to exploit shoddy coding the next time around. "The bad guys follow the money," says Charlie Miller, principal analyst at Independent Security Evaluators, a consultancy based in Baltimore. "Criminals are going to start focusing on phones."
The number of attacks is still low. Although security experts discover hundreds of new strains of malicious code targeted at PCs every day, they've detected only 67 directed at smartphones in all of 2010, says Sean Sullivan, security adviser for the North American labs of F-Secure, a Finnish security software developer. Still, that's nearly double last year's total, and mobile devices become a larger target all the time. Morgan Stanley analyst Mary Meeker predicts that smartphones will outsell laptops and netbooks this year and will eclipse sales of all PCs, including desktops, by 2012.
That means more potential victims of malware—as in malicious software—and more customers for the security companies that protect against it. Jeff Wilson, a principal analyst at consultancy Infonetics Research, expects global revenues from smartphone security software to rise from $219 million last year to nearly $1.4 billion by 2013. Securing a foothold in the growing mobile security market was a key motivation behind chipmaker Intel's $7.7 billion purchase of McAfee in August and Juniper Networks' $70 million acquisition of SMobile Systems one month prior.
Much of the security companies' attention will likely be focused on Google's Android software. It's the fastest-growing mobile operating system, and may also be the most vulnerable to hackers, says David Goldschlag, vice-president for mobile at McAfee. Unlike Apple , which vets applications before allowing users to download them to their iPhones, Google doesn't check the apps posted to its Android Market, says Miller. (Google didn't return repeated requests for comment.)
That makes it easier for hackers to create applications that surreptitiously spy on users or access phone functions without permission. In July, a Chinese security company, NetQin, found an Android app that posed as a restaurant tip calculator but also forwarded users' text messages to hackers. Such text messages can contain sensitive financial information, especially as more smartphone users engage in mobile banking.
Other hackers have built apps that automatically call expensive, premium-rate phone numbers, racking up big bills for users. SMobile Systems, which develops antivirus software for phones, estimates that 2 percent of the apps in Android Market are able to send text messages without a user's knowledge, while 5 percent can dial a number without permission.
Despite such statistics, many consumers don't consider security software as essential on a phone as it is on a PC. They're willing to pay for other security-related services, including data backup or software to locate a lost phone, but the market for such convenience products is becoming highly competitive. To differentiate their offerings, the security companies bundle their antivirus software with those popular features. In July, McAfee purchased a startup, tenCube, which runs a service that helps locate missing phones using the device's GPS. On Oct. 5, Symantec updated its anti-virus software for iPhone and Android with tools to remotely erase data on lost handsets. SMobile Systems also includes data-wiping controls with its antivirus software.
Lookout, a startup in San Francisco, has compiled a database of more than 1 million smartphone apps. It uses that information to detect new threats and block potentially malicious applications. The company's apps also include data backup and the ability to remotely wipe data, and are used by more than 2 million people. John Hering, the chief executive officer of Lookout, which raised $11 million in venture capital in May, says the established companies like Symantec and McAfee don't yet have a lock on the field. "The next great security company will be built in the mobile space," he says.
The bottom line: Protecting smartphones against malware promises to become a big business for makers of antivirus software.
Kharif is a reporter for Bloomberg Businessweek in Portland, Ore.

Bloomberg Businessweek