Cheaters beware. In late October, Indonesian developer Sheran Gunasekera released mobile-phone software that can help someone eavesdrop on your conversations. A distrusting partner or spouse can secretly download the free application, called PhoneSnoop, onto your BlackBerry, remotely turn on the microphone, and listen to conversations held in proximity to the device.
PhoneSnoop, downloaded more than 2,000 times since its release, is one of a growing number of applications that can be downloaded onto a smartphone without a user's knowledge. FlexiSPY similarly can be downloaded onto Research In Motion's BlackBerry or the Apple iPhone. Smartphones and the growing number of people using them are becoming a bigger target for unauthorized and potentially harmful software, including worms, viruses, and spyware that tracks a user's Web activity. The smartphone security threat "is imminent," says Jeff Wilson, a principal analyst at consultant Infonetics Research.
Smartphones are increasingly prevalent and adept at handling more tasks, including trading stocks, paying bills, and buying stuff online. That makes them all the more attractive to thieves and hackers, says Khoi Nguyen, group product manager for mobile security at antivirus vendor Symantec. The number of smartphones shipped is expected to rise to 330 million units in 2014 from 178.3 million this year, according to ABI Research.
Storm8 games removed by Apple
Hackers can attack phone users through app stores, the Web, and e-mail. In early November, the so-called Rick Astley worm struck certain iPhones and turned their wallpaper to an image of the '80s music icon. A few days later, a related worm, iPhone/Privacy.A, began gaining access to users' e-mail and SMS messages, calendar appointments, contacts, and photos. Hackers could use that information to steal a phone owner's identity or personal data.
Mobile applications, sold or distributed through online app stores, are emerging as an especially attractive avenue for potential security breaches. Apple reviews apps before letting them onto its App Store, yet it's been unable to detect all threats. On Nov. 8, Apple removed free games developed by Storm8 that surreptitiously collected users' phone numbers. Storm8 concedes that the games collected phone numbers but says in a statement it did not use them "for any purpose" or "provide them to any other company." Storm8 says it has removed the offending code. Apple didn't respond to multiple requests for comment.
Smartphones are also vulnerable to the same Web-based and e-mail attacks that have long hammered PCs. One in five smartphone owners has already encountered what's known as a phishing scam, where hackers pose as a bank or some other trusted institution in an attempt to collect personal user information, according to a survey of 1,016 U.S.smartphone users conducted by virus-scan vendor Trend Micro in May.
Heyday for security vendors
The prospect of increased handset threats of course means a potential heyday for security vendors. Sales of mobile-security software for handsets will rise to $1.6 billion in 2013 from $113 million in 2008, Wilson estimates. Companies including McAfee , Symantec, Trend Micro, and such startups as Discretix and Callpod stand to benefit.
As carriers such as Vodafone beef up their network and phone security, vendors including Cisco Systems, Juniper Networks, and CheckPoint, which sell security appliances for telecommunications networks, may also generate higher sales. "There's a ton of opportunity in mobile security," Wilson says. Vodafone sells some of its smartphones with third-party security software preloaded.
Earlier this year, Discretix, which makes software that checks for unauthorized cell-phone components and software, won a contract to monitor the larger-size smartphones known as mobile Internet devices based on Intel chips. Discretix also works with handset makers such as Motorola, and has seen its sales rise 215% in the past five years, says Jacob Greenblatt, director of corporate strategy at Discretix.
Symantec is developing a product, due in 2010, that would let carriers offer customers Web filtering and parental control of Web sites accessed via smartphone. "Most carriers aren't [offering these services] today," Nguyen says.
Consumer market is potential bonanza
Corporations are also beefing up mobile security, acquiring everything from antivirus software to remote-wipe programs, which can remotely erase all information stored on a stolen smartphone. Currently, about 10% of companies with more than 1,000 employees have deployed such wiping software, according to Infonetics. BlackBerry maker RIM lets company IT administrators set more than 450 policies that bar downloads of unauthorized software.
Direct-to-consumer sales may represent the greatest opportunity. Callpod says its free Keeper software, which converts data into secret code to make it secure and protects personal information on the iPhone, is downloaded about 100,000 times a month at the Apple App Store. The company expects to release a similar app for the BlackBerry in the next month. Free apps may not stay free, and prices on for-sale software may rise. "I suspect our pricing will increase," says Carol Carpenter, a general manager at Trend Micro, which sells mobile antivirus software.
Eventually, consumers may pay $10 to $20 a year for mobile security software, Wilson estimates. "It has to be less than the PC [security software] because of the perception of the devices being smaller and less powerful," he says.
Smartphone precautions may become increasingly necessary, whatever the price tag. "No smartphone right now is 100% secure," says Jonathan Zdziarski, the author of iPhone Forensics, who helps police hack into suspects' iPhones. "I just don't put anything on my iPhone I'd not want somebody to see."
Kharif is a senior writer for BusinessWeek.com in Portland, Ore.
