For Hackers, the Next Lock to Pick
Hackers have broken into the cellphones of celebrities like Scarlett Johansson and Prince William. But what about the rest of us, who might not have particularly salacious photos or voice messages stored in our phones, but nonetheless have e-mails, credit card numbers and records of our locations?
A growing number of companies, including start-ups and big names in computer security like McAfee, Symantec , Sophos and AVG, see a business opportunity in mobile security — protecting cellphones from hacks and malware that could read text messages, store location information or add charges directly to mobile phone bills.
On Tuesday, McAfee introduced a service for consumers to protect their smartphones, tablets and computers at once, and last week the company introduced a mobile security system for businesses. Last month, AT&T partnered with Juniper Networks to build mobile security apps for consumers and businesses. The Defense Department has called for companies and universities to come up with ways to protect Android devices from malware.
In an indication of investor interest, one start-up, Lookout, last week raised $40 million from venture capital firms, including Andreessen Horowitz, bringing its total to $76.5 million. The company makes an app that scans other apps that people download to their phones, looking for malware and viruses. It automatically tracks 700,000 mobile apps and updates Lookout whenever it finds a threat.
Still, in some ways, it’s an industry ahead of its time. Experts in mobile security agree that mobile hackers are not yet much of a threat. But that is poised to change quickly, they say, especially as people increasingly use their phones to exchange money, by mobile shopping or using digital wallets like Google Wallet.
“Unlike PCs, the chance of running into something in the wild for your phone is quite low,” said Charlie Miller, a researcher at Accuvant, a security consulting company, and a hacker who has revealed weaknesses in iPhones. “That’s partly because it’s more secure but mostly because the bad guys haven’t gotten around to it yet. But the bad guys are going to slowly follow the money over to your phones.”
Most consumers, though they protect their computers, are unaware that they need to secure their phones, he said, “but the smartphones people have are computers, and the same thing that can happen on your computer can happen on your phone.”
Cellphone users are more likely than computer users to click on dangerous links or download sketchy apps because they are often distracted, experts say. Phones can be more vulnerable because they connect to wireless networks at the gym or the coffee shop, and hackers can surreptitiously charge consumers for a purchase.
There have already been harmful attacks, most of which have originated in China, said John Hering, co-founder and chief executive of Lookout.
For example, this year, the Android market was hit by malware called DroidDream. Hackers pirated 80 applications, added malicious code and tricked users into downloading them from the Android Market. Google said 260,000 devices were attacked.
Also this year, people unwittingly downloaded other malware, called GGTracker, by clicking on links in ads, and on the Web site to which the links led. The malware signed them up, without their consent, for text message subscription services that charged $10 to $50.
Lookout says that up to a million people were afflicted by mobile malware in the first half of the year, and that the threat for Android users is two and a half times higher than it was just six months ago.
Still, other experts caution that fear is profitable for the security industry, and that consumers should be realistic about the small size of the threat at this point. AdaptiveMobile, which sells mobile security tools, found that 6 percent of smartphone users said they had received a virus, but that the actual number of confirmed viruses had not topped 2 percent.
Lookout’s founders are hackers themselves, though they say they are the good kind, who break into phones and computers to expose the risks but not to steal information or behave maliciously. “It’s very James Bond-type stuff,” Mr. Hering said.
A few years ago, he stood with a backpack filled with hacking gear near the Academy Awards red carpet and discovered that up to 100 of the stars carried, in their bejeweled clutches and tuxedo pockets, cellphones that he could break into. He did not break into the phones, but publicized his ability to do so.
He started Lookout in 2007, along with Kevin Mahaffey and James Burgess, to prevent such intrusions. It has free apps for Android, BlackBerry and Windows phones, but not for iPhones. They are less vulnerable to attacks, security experts say, because Apple’s app store, unlike Android’s, screens every app before accepting it. Also, Android is the fastest-growing mobile platform, so it is more attractive to hackers.
Google says it regularly scans apps in the Android Market for malware and can rapidly remove malicious apps from the market and from people’s phones. It prevents Android apps from accessing other apps and alerts users if an app accesses its contact list or location, for instance.
Lookout also sells a paid version for $3 a month, which scans apps for privacy intrusions like accessing a user’s contact list, alerts users if they visit unsafe mobile Web sites or click on unsafe links in text messages, backs up a phone’s call history and photos, and lets people lock or delete information from lost devices.
T-Mobile builds Lookout into its Android phones, Verizon uses its technology to screen apps in its app store and Sprint markets the app to customers. The cellphone carriers and Lookout share the revenue when a user upgrades to the paid version.
“In mobile security circles, you never wait on it to become a problem and it’s too late,” said Fared Adib, vice president of product development at Sprint.
Meanwhile, because mobile phone attacks are still relatively rare, Lookout’s free app includes tools, including a way to back up a user’s contacts and a feature that enables users to turn on an alarm on their phone when it is lost.
“You’re way more likely to just leave it in a cab than you are going to be attacked by a hacker,” said Mr. Miller, the security researcher.
And in addition to collecting money from paying subscribers, Lookout plans to sell the service to businesses. It has a chance because consumers are increasingly bringing their own technologies into the workplace, and Lookout’s app is consumer-friendly, said Chenxi Wang, a security analyst at Forrester Research.
“It’s something a lot of I.T. guys are worried about because they have no control over what consumers are doing and what these apps are doing,” Ms. Wang said.
Giovanni Vigna, a professor at the University of California, Santa Barbara who studies security and malware, said it was only a matter of time before mobile security was as second nature to consumers as computer security.
“The moment malware starts using text messages and expensive minutes people have to pay for, things will move a lot faster,” he said.