Cyber criminals could increasingly look to attack, hijack smartphones in 2013

Enlarge Image

Canada's privacy commissioner says Canadians aren't doing enough to protect their mobile communication devices, like cellphones and tablet computers. A survey by the commissioner's office says only four in 10 people password-protect their phones or adjust privacy settings on personal-information sharing via downloaded applications. A text message is sent on a mobile phone, November 9, 2010, in Montreal. THE CANADIAN PRESS/Ryan Remiorz

TORONTO - Some cyber criminals who disseminate viruses and malware in attempts to hijack computers are beginning to shift their focus.

Your smartphone may be their next target.

PC users have learned to be constantly vigilant to the threat of viruses, which attack relentlessly, slow down computers and potentially put valuable personal information at risk.

Windows computers will continue to be targeted going forward but cyber thieves are casting a wider net in the hunt for digital prey.

This past year, hundreds of thousands of Apple computers — which had long been thought to be immune to viruses — were hit with the so-called Flashback or Fakeflash malware. Apple machines had been free from attack for so long that the computer giant brazenly stated on its website that "it doesn't get PC viruses." You won't find that claim online anymore. Now Apple only says its computers are "built to be safe."

It's unclear how much Apple computers will continue to be targeted in the near future, but experts say 2013 may be the year that smartphones come under heavier attack.

A few months ago, the Federal Bureau of Investigation issued a warning to U.S. citizens about growing smartphone threats, named Loozfon and FinFisher, on Android devices.

The FBI was alerted to mobile websites that claimed to offer work-at-home job opportunities. A link on the fraudulent websites triggered an attempt to download Loozfon on an Android phone, which steals data from a user's address book.

FinFisher is a far more sophisticated threat, which can essentially take over a phone, allowing it to be controlled and monitored remotely. Hackers can capture images of what is displayed on the phone's screen, record what users type in, and listen to phone calls. The program, which was originally designed for government and law enforcement agencies before being co-opted by nefarious groups, can be run on Android devices as well as iPhones, BlackBerrys, Windows and Symbian phones.

The good news is that hackers have yet to begin aggressively targeting average consumers in North America, said Seth Hardy of the Citizen Lab, a research group based out of the Munk School of Global Affairs at the University of Toronto.

"The risk is still pretty low but that doesn't mean it's always going to be that way, it's just still a relatively new space," Hardy said.

"The moment people start to figure out how to take advantage of it for money is when we'll see a lot more of it targeting the average user."

The Android platform — which happens to the most popular globally — is the most under attack. According to a recent report by security firm F-Secure, more than 51,000 different threats targeting Android devices were discovered during the third quarter of the year.

One major problem has been the ability of scammers to sneak malicious apps into Google's official marketplace. Google launched a feature called Bouncer earlier this year to address the issue and claims it reduced "potentially malicious downloads" by 40 per cent — which suggests viruses can still sneak through without detection.

AVG, the maker of free and premium anti-virus software, has had a mobile product for a couple of years already.

"We're now starting to see some significant threats and an increase in threats on (Android)," says AVG spokesman Tony Anscombe, who noted the company also has mobile apps for iPhones and Windows phones.

Avast!, Lookout and Sophos also have free mobile security apps.

Anscombe said there are several ways a hacker can exploit a victim once getting into their phone.

"If you think about the traditional methods of scamming somebody, using phishing or viruses on a PC platform, I can start stealing your identity, I can start building a profile on you and then potentially take your details and maybe auction your identity off — and depending on what information it has in it, it might fetch up to $20 for another cyber criminal," he explained, adding that hackers are now hijacking phones and sending text messages or making calls that incur massive charges.

"If I can get the right access on your mobile device ... I can monetize directly. It's a much easier way for someone to make money out of the bad stuff they do."

Users who decide to seek out pirated content through unofficial app stores face a more significant risk of picking up a mobile bug.

"Angry Birds was taken off the legitimate store, modified and then listed in third-party app stores. It gave the app additional privileges (so hackers) could send SMS messages," Anscombe said.

"But the user doesn't necessarily look at the privileges when they install an app. Especially with the younger generation, they'll start emailing (their friends bragging), 'Hey, I can get this for free.'"

Hardy said looking into a mobile anti-virus app isn't a bad idea but users should never let their guard down.

"Having anti-virus as part of a layered solution is always a good thing, but believing that any one security measure is going to completely protect you is generally incorrect and might lead you to more risky behaviour."