Other related sites

Page last updated at 17:04 GMT, Friday, 12 November 2010

Is your phone at risk from cyber-criminals?

By Spencer Kelly and Alex Hudson
BBC Click

A smart phone made by Samsung Electronics is displayed at the main office of the company in Seoul
The smartphone market has become a lucrative target for cyber-criminals

While malicious software for smartphones is on the increase, it could still be human error that creates the easiest opportunities for cyber-crime.

Ever since phones became "smart", there has been concern that they could become riddled with malicious, self-replicating viruses and worms just like their less portable PC relatives.

So far however, the expected deluge has not happened. Cyber-criminals are not flooding smartphones with malware.

"The organisations or bad guys are looking for money," says Tony Osborne of online security firm Symantec.

"I think as we see mobile phones used more as a method of purchasing or creating financial transactions, then we're going to see far more attacks."

'Enticing prospect'

But the sector is growing quickly. Market analyst Juniper Research says that over 200 million people worldwide will have used banking services on their phone by the end of 2010, doubling to 400 million by the end of 2013.

While this makes for an increasingly enticing prospect for hackers, the current problems faced by users are often a little less hi-tech.

Attackers already have the tools to write the malicious code they'll need
Tony Osborne, Symantec

Over two-thirds of smartphone users are leaving themselves vulnerable to opportunistic identity fraudsters by users still leaving their phone without a pin or password, according to the government-supported GetSafeOnline.org.

And even then, the phone is still at risk.

"It isn't too difficult to break into a phone, you can just try every number from 0000 to 9999," says William Buchanan, professor of computing at Edinburgh Napier University.

"I think one of the major problems is that people don't realise how much information is on the device."

And it is not just what you have on your phone, but how ease of use has often superseded the need for security.

'Malicious code'

"Many social networking and other applications also use cookies to 'remember' personal information such as log in details," says Tony Neate, managing director of GetSafeOnline.org.

"This means that if someone else had your handset, they can access and use your profile without needing to know your password. In addition, if you synchronise your handset with a PC at home, they'll be able to access all of that information too."

Credit card and phone
Over 80% of banks now offer some form of mobile banking

But what about those criminals trying to get to your handset remotely?

"Attackers already have the tools to write the malicious code they need," says Mr Osborne.

"The new generation of smartphones are all geared towards downloading apps which are written by other users, using software development kits."

Straightforward spyware

In August, BBC technology journalist Mark Ward decided to find out if it would be possible to use these tools to write an application which posed as a simple game but in the background silently stole the phone's contact list and e-mailed it to a predetermined address.

"I think the big surprise was how straightforward it was to put the spyware together," he says.

"We were expecting to really sweat over the nasty bits, but all the bits we used are standard parts of all the applications you get on your phone. So there was no part of the phone that was cut off from those basic standard bits of coding."

Mark never made the application available but some malicious programs have been found in the wild.

Even for those not using their phones for full-on finance, there are ways for cyber-criminals to make money directly from malware.

Fake mobile application

A malicious, self-replicating virus called Commwarrior, which targets the Symbian operating system on Nokia handsets, arrives as a multimedia message.

If you click on it, you will run malicious code which scans your contact list, and sends a copy of itself to everyone it finds. Discovered in 2005, while worrying for experts, it failed to have the widespread impact that was once feared.

Also, an application for Google's Android operating system targeted users in Russia who thought they were downloading an adult video player.

Although it seemed to do nothing once installed, an examination of the source code revealed it was actually designed to silently send text messages to premium rate numbers owned by the bad guys. Users would be charged and the criminals would take the profits.

Suspicious contacts

So how can you be sure that an app you download isn't doing something untoward in the background?

"I think the problem is that you can't assume that every application that wants access to your contacts is suspicious," says Mark Ward.

Apple iPhone screen grab
Apple offers a subscription service which helps you locate a lost iPhone

"Take games for example. If you want to play a multi-player game via your phone, it needs to know your location, it needs to know your friends' locations and it needs to be able to bring you together to play with those friends - that's not suspicious."

The mobile operators advise not to download apps directly from the web but stick to the official application stores provided by the five different platforms - these only contain applications which have been pre-vetted.

So far, there have been no reports of malware getting through this vetting procedure but with thousands of apps to check and source code for each running into thousands of lines, no operator can absolutely guarantee that their vetting procedure will always be foolproof.

About 25 new pieces of smart phone malware are being discovered each week. While this is minuscule compared to the PC malware landscape, some companies have already launched antivirus products which scan and remove bad apps from the phone.

However, one of the most profitable and effective mobile phone scams is not a virus or even a malicious download.

It is a spam text message which asks the recipient to call a premium-rate phone number.

But the biggest threat to your smartphone is its portability and tendency to go missing.

There are apps however that can help you remotely wipe its memory or find it, so all may not be lost after all.

Print Sponsor

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific