Why the Android and iPhone are under threat from mobile phone hacking

After several years of paranoid news articles, it seems as though the age of mobile phone hacking might finally be upon us.

As smartphones took off, anti-malware companies spent the last few years warning about the potential of smart phone Trojans and viruses. Some of them have even released products designed to protect these endpoints, but aside from a few proof of concept binaries, little seems to have happened.

A few things recently suggest that the mobile phone security threat may be gaining traction.

Cisco's latest annual security survey, released yesterday, has found that criminals are investing more resources in exploits specifically targeting mobile device users. It is only a nascent trend, the company says, but it is a distinct one. Significantly, Cisco believes that we have reached a tipping point with traditional PC security. Companies are getting better at building security into PC platforms and making patches available more quickly, the report said. Look out for exploits targeting Apple and Android operating systems this year, it added.

Both iOS and Android phones are getting sophisticated enough to allow malware to do some pretty devious things. Security researchers have developed an Android Trojan called Soundminder, for example, that listens for spoken or dialed credit card numbers or PINs, performing the necessary analysis to convert them from sound recordings into text that can then be sent back to an attacker. 

That may be little more than a proof of concept trojan, but other researchers have found a real one, in the wild, that is being bolted onto legitimate Android apps. It effectively converts the phone into a bot, enabling it to take remote instruction from a malicious attacker.

There is another reason why smart phones might be the next significant attack target for criminals: mobile payments. Right now, smart phones are frequently enabled for online payments in one way or another. The iPhone features an in-app payment mechanism, for example, and many applications connect to services with stored credit card information. Bump, a popular mobile application that enables two phones in the same vicinity to exchange information, publishes an API that companies like PayPal use to facilitate mobile transactions.

Large retailers are starting to get in on the act. Coffee giant Starbucks has started taking mobile payments from the iPhone in the US, via a Starbucks Card Mobile app that connects the phone to the user's Starbucks card account.

I guess it was only a matter of time. After all, modern malware writers look for sensitive information that could be sold on. Smartphones are beginning to store more of that sensitive information, and are also connecting to a greater number of sensitive online services. My bank, for example, released its online banking iPhone app recently.

But the real inflection point for mobile payments will be Near Field Communications (NFC). This radio technology, already used in payment card and ticketing systems, is being prepared for phones, and one big rumour is that it will make its way into the iPhone 5. This would effectively turn your phone into a digital wallet, able to pay for things in cash. What self-respecting cyber criminal wouldn't want a piece of that action?