There were two stories this week that highlight the need for smartphone owners to look at security on their phones like they do on their other personal computing devices.
The first was from Reuters, which on Wednesday reported that about 7 percent of all smartphone owners were victims of identity fraud in 2011. The statistic came the research firm Javelin Strategy & Research, which also stated that its study indicated some 12 million Americans were victims of identity theft last year, a jump of 13 percent from 2011.
The Reuters story says that cyber thieves are increasingly targeting smartphones because more are being used and their owners tend to be less cautious about IT security. For instance, it states that, according to Javelin, some 62 percent of smartphone users don't use a password to protect their phones. In addition, free phone apps are increasingly loaded with malware (pdf). Downloading from well-known app stores reduces the risk, but does not eliminate it completely if there exists another route into the phone, as the next story indicates.
The other smartphone security-related story appeared in today's LA Times, which reports that well-known security analyst Dmitri Alperovitch has discovered a zero-day security hole in Android and Apple smartphone browsers that allowed him to plant "malware that can commandeer the device, record its calls, pinpoint its location, and access user texts and emails." Alperovitch is going to present his findings at the RSA conference next week.
According to the Times, Alperovitch, along with a team of other security specialists, started with Nickispy (a Trojan Horse remote access tool emanating from China that disguised itself as a Google+ app), reversed engineered it, and then were able to successfully get the malware to load on an Android-based smartphone through a self-created phishing email. Once loaded, the smartphone functions, including all voice communications, could be completely accessed by a malicious remote user. Alperovitch also says once loaded, "there is no security software that would thwart it."
The Times article also states that a Chinese web site last year was selling Nickispy for US $300 to $540 to customers who wished to "spy on smartphones that ran Symbian or Windows Mobile operating systems." You can watch how Nickispy works in this McAfee video.
There will no doubt be other IT security findings of interest coming out of the RSA conference next week; look for further updates here at the Risk Factor.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.