Mobile viruses are becoming more common; so are many other
security threats to mobile devices and the data they hold.
Most recently, however, researchers have learned that hackers
are now creating mobile spyware, which manipulates SMS messages and
allows them to be read by others.
David Rayhawk, senior researcher for McAfee Mobile, said there
is evidence that malware writers are now actively working on
developing their own mobile spyware. So far, he said, a Russian
malware author has released a prototype of SMS-forwarding spyware
that is invisible to the user, loads on startup, and forwards SMS
text in a new SMS to the spyware's author. The malware breaks down
at the forwarding part, but with some tweaking, Rayhawk said, an
experienced hacker could figure it out.
The recent discovery is not the first time mobile spyware has
been noticed, but Rayhawk said that it is time for folks to pay
attention.
"It's definitely not the end of the world," he said, noting that
whoever created the most recent mobile spyware program also
released the incomplete source code that would allow hackers to spy
on others. If that source code spreads further, he said, it could
be cause for alarm.
"If that source code gets out, a semi-able hacker could adjust
it," Rayhawk said.
The spyware works like this: A hacker sends an SMS message to
the target. The target opens the message, installing the spyware
onto the device. That spyware, unbeknownst to the victim, takes the
SMS messages and forwards them on to the hacker.
Rayhawk said mobile operators should be the most concerned
because protecting devices would cost them money, and a massive
spyware outbreak could also have a financial impact. But he said
it's premature for users to worry.
"The likelihood of an individual user getting targeted is pretty
low," he said.
There are steps that can be taken to avoid falling victim to mobile
spyware, however. Rayhawk said embedded device security, such as
antivirus, should be installed on devices when they come from the
manufacturers.
In March, malware was found that copied SMS messages and sent
them to a server where they could be retrieved by hackers. Then, in
September, spyware was found that could retrieve SMS messages,
contact numbers and call logs. There is also mobile malware that
can call a device, make the device answer silently without the
user's knowledge, and turn the device into a remote bug.
Rayhawk suggests that smartphone and mobile phone users start
treating their devices more and more like PCs. He said that -- as a
culture -- mobile users need to recognize that their devices are
just as susceptible as their larger, fixed counterparts to spyware,
worms, viruses and other malware.
"People trust phones too much," Rayhawk said. "Users need to
apply the same level of paranoia to their phones as they do to
PCs."