Smartphone Malware

by Mike Barry
CEO Fort Collins Web Works LLC

Smartphones are really just small portable computers, and any computer that can be programmed can be attacked by hackers. They haven't bothered with smartphones because they just haven't been popular enough, but smartphones are expected to outsell computers this year, making them a valuable target for malware. The security firm Lookout has already found malware on 9% of the smartphones they tested in May 2010.

You can infect your smartphone by downloading an infected app or by connecting your phone to an infected computer. Some hackers download a legitimate app, insert their malware, and then put it on a website where you can download it for free, so only download apps from websites that you trust. Apple and Microsoft prevent smartphone malware by requiring users to download apps from their website and testing the apps before they make them available to users. Anyone can publish an app for the Android, but Google is trying to eliminate apps with malware. Google found malware that had infected over 200,000 smartphones in their Android Market. They remotely removed over 50 apps by Myournet, Kingmall2010 and we20090202 from Android smartphones.

Smartphone malware can place calls or text messages to premium numbers, running up huge charges on your phone bill, send your banking security codes back to the hackers, download other apps, or send contact information back to the hackers. Androids, Blackberries, and iPhones have all been attacked by malware. The Android.Pjapps sends text messages to premium numbers and then blocks incoming texts coming from your carrier so you can't tell that you have exceeded your quota.

If you find that your smartphone has been infected by malware, F-Secure, Symantec and Kaspersky sell security software for smartphones that will remove it and prevent more infections.

Even legitimate applications can cause problems. Most smartphones have GPS units that allow them to track where you have been, and if those that don't have GPS can track your approximate location based on which cell phone towers detect your signal. Tracking ability was designed into the cell phones so law enforcement could track your location whenever your phone is turned on, and so your phone company knows when they can charge premium rates when you leave your home territory. One smartphone user turned on his phone a few times during a vacation to Mexico just to see if he could get service. He didn't make any calls or receive any calls, but his service provider noted that he was out of the country so all the calls made to his number that were routed to voicemail got charged at premium rates and it cost him over $100. Some app developers have been caught collecting your private information including where you have been, and then selling it to marketing companies. Unfortunately there isn't any way to prevent this kind of abuse.

Most smartphones store the files with your tracking data at the phone company, but Apple iPhones and iPods store the data on your local device and on any computers that you use to sync your iPhone or iPod. Storing your whereabouts on other computers increases the chances that someone else will hack a system that tells them where you have been. Peter Warden and Alasdair Allan created a nice website that explains how to read the location files on your Apple products.

If you aren't worried about someone knowing where you have been and where you are likely to be in the future, consider the fact that some of the location data stored by the smartphones can be wrong. The smartphones can use either GPS or proximity to cellphone towers to determine your location. GPS coordinates are usually very accurate, but sometimes the data from the cellphone towers makes it look like you are somewhere else because buildings, topography or other structures interfere with the signals. I normally wouldn't care if someone spying on me thinks I am somewhere that I not, but if the police use this data to place you at the scene of a crime, or a divorce lawyer or prospective employer uses it to place you in an undesirable establishment you could be in trouble.

refs: Denver Post, Computerworld, Kim Komando, iPhoneTracker

footer content