Smartphones have become an effective way for criminals to distribute malware because it's harder to recognize on a smartphone than it is on a PC. "Screen real estate is very limited on these devices," he says. "The visual cues we're used to on PCs [when we download a virus] are not available in a mobile environment. Even to sophisticated users, it's not entirely clear what's happening behind the scenes."
Faster connectivity and more powerful devices further complicate security. Schmidt says both factors make it easier to download malware more quickly, without the user knowing. "That makes a compromised device more valuable to a bad guy," he adds.
It also makes smartphones more susceptible to drive-by downloads.
How Drive-By Downloads Work on Your Smartphone
Attackers are adapting the popular and effective drive-by download method, popularized on PCs, for mobile devices, says Kevin Johnson, founder of information security consultancy Secure Ideas and author of Security 542: Web Application Penetration Testing and Ethical Hacking.
Drive-by downloads work by exploiting vulnerabilities in Web browsers, plug-ins or other components that work within browsers. Through a browser vulnerability, drive-by downloads dump an application onto the user's computer, such as fake anti-virus software--malware that's masked as anti-virus software.
On a smartphone, drive-by downloads work differently, says Johnson, who is also a senior instructor with the SANS Technology Institute. "With an iPhone, I can't browse to a Website and have it install an app on my iPhone. The iPhone is not capable of doing that, which is good," he says. "The problem is that the drive-by download model has changed to take that into account."
So instead of dumping an app onto your smartphone's OS, the infected Website exploits a vulnerability in, say, the Safari browser and runs commands or packages within the phone's operating system to change the way it works, says Johnson.
"It's not installing the software, but it's still doing bad stuff to the phone," he adds. "It's considered jail-breaking or rooting the device."
How to Protect Your Smartphone
IT departments can lock down corporate-owned smartphones so that employees can't install anything on them or browse to random Websites. Securing employee-owned smartphones is obviously a lot more difficult. Johnson says companies need to emphasize awareness and make employees understand security risks. He also recommends mobile device management systems that restrict certain user activity.
