For Hackers, Attacking Phones and Tablets Is the New Hotness

Among the set of people who dream up new ways to attack digital infrastructure for pleasure and profit, PCs and Web sites are old hat. The new hotness is mobile devices, smartphones and tablets, which people are buying in ever larger numbers and using for everything from banking to shopping and more.

That’s the finding of a new research report from the networking concern Juniper Networks. Its 2011 Mobile Threats Report found that the amount of malware created for mobile devices across all operating systems more than doubled in 2011 over the previous year. Juniper said it found nearly 28,500 samples of malware, up from a little more than 11,000 in 2010. Most of them — more than 46 percent, in excess of 13,000 samples — targeted Google’s Android operating system, Juniper said. Another 41 percent targeted the older Java ME operating system.

And what kind of malware was it? Spyware, mostly — stuff designed to capture information and send it on to someone else. More than 63 percent of the malware found could track a phone’s location, collect financial information, and other stuff you’d probably rather your phone didn’t do without you knowing about it. Another 36 percent were Trojans sent via text message. These Trojans run in the background and send text messages to premium-rate numbers the attacker owns, then collect the fees generated for sending the message.

And what about Apple’s iOS? Apple’s tight control on the application ecosystem — the iTunes App store, where all applications have to be approved — has so far given it a pretty good record on security. That doesn’t mean it’s completely out of the woods, Juniper says. Apple doesn’t provide developers with the information they need to create security screening programs that run on the phone itself. That means that if, for some reason, its application-vetting process fails — let’s say some app contains an evil feature that no one notices before it’s too late — there’s no competitive set of third-party security companies providing software to help clean up the mess afterward.

In one example during 2011, a security researcher found a way to upload an unapproved app to iTunes by faking the code-signing process used for approved applications. It proved the point that a chink in Apple’s armor did exist, and Apple later issued a fix.

Juniper predicts that it’s going to get more complicated this year. While Google has started to actively scan applications on its Android Marketplace for malicious code, that only means that third-party app stores will become more attractive targets. And as certain apps become popular across many platforms — think office applications — attackers will go after those in much the same way they did popular applications on the PC. That smartphone you have in your hand may soon be a digital battlefield.