Poison Text Messages, Malicious Mobile Apps on the Rise

Cultura | Yellowdog | StockImage | Getty Images

Nearly one in five mobile phone users have experienced some type of security threat with their device. That's the finding of a Cloudmark survey of 1,000 cellphone users, scheduled to be released Tuesday.

Poison text messages, nearly non-existent in the U.S. a few years ago, grew 300% in 2010 and 400% in 2011, accounting for about 1% of all text messages. "We've gone from totally clean to a trickle," says Rachel Kinoshito, head of Cloudmark's security operations. "Most people are seeing about one a month."

That foothold is part of a broader concern. Variations of scams that infest the Internet, through PC browsers, have begun spreading on a meaningful scale through mobile devices. And it looks like the bad guys are just getting warmed up.

One type of poison text message involves tricking people into signing up for worthless services for which they get billed $9.99 a month. Another type lures them into doing a survey to win a free iPhone or gift card. Instead, the attacker gets them to divulge payment card or other info useful for identity-theft scams. "Malicious attacks have exploded well beyond e-mail, and we are very aware of their move to mobile," says Jacinta Tobin, a board member of the Messaging Anti-Abuse Working Group, an industry group combating the problem.

Meanwhile, hackers are repurposing skills honed in the PC world to attacks on specific mobile devices. Particularly, handsets using Google's Android operating system are frequently the target of hackers. In December, anti-virus company F-Secure tracked down 1,639 unique malicious Android apps — disguised as free apps and circulating on websites across the Internet. That's up from 48 in January 2011.

One type offered and delivered a free copy of the popular Angry Birds game. But the victim is also unwittingly signed up for a premium-rate texting service and charged an extra $10 a month on his or her phone bill, says F-Secure researcher Sean Sullivan.

Network security company Juniper Networks says the pool of bad apps it has been tracking swelled 86% in February from January. Nearly half of the poisoned Android apps analyzed by Juniper were classic spyware, says Dan Hoffman, head of Juniper'smobile security business.

"We've identified malware that can steal credentials from e-mail and mobile banking applications," Hoffman says. "These attacks can be devastating."

The online industry is on high alert. The working group— whose members include AT&T, Verizon, Comcast, Facebook, PayPal and Time Warner— convened in San Francisco last month to join forces on defending new mobile threats.

"We need to stay ahead of what's happening with mobile abuse, social networking abuse and malware," says Tobin. "It makes sense for us to collaborate across all these channels."