Though malware is not yet common on mobile phones, experts are taking a hard look at how it could appear down the road, hoping to find solutions before real attacks emerge.

Researchers from Rutgers University recently identified a series of possible attacks on smart phones, including one that would grant the attacker the ability to eavesdrop on a user. They will present these proof-of-concept attacks tomorrow at HotMobile 2010, a conference taking place in Annapolis, MD.

The researchers didn't exploit any vulnerabilities to get it onto the phone--instead, they pre-installed a rootkit. This is a piece of software that buries itself deep in a device's operating system, where it can take control of most of the software running on the machine. Though there are some legitimate uses for rootkits, for the most part they're a particularly nasty type of malware.

The researchers demonstrate their system on the NeoFreeRunner phone, running the open-source software stack OpenMoko. Their attacks used malicious text messages to give instructions to the rootkit. Because the rootkit is able to control so much of the phone's software, it could hide the text messages from the legitimate user and carry out instructions without interference.

In one attack, the researchers instructed the phone to call a specified number, which might allow them to use the smart phone to listen in on a confidential meeting attended by the legitimate user. They were also able to instruct the phone to report its location to the attacker, and to drain its battery by turning on energy-hogging features without the user's knowledge.

The Rutgers researchers believe that smart phones will soon need to have tools for detecting rootkits and other malicious software. This could be a challenge, they say, because the algorithms used to search for such software use a lot of processing power and would reduce battery life. So they propose offloading that processing to the service provider, following the model of cloud-based antivirus that has been gaining traction on desktop computers.

This weekend a Swiss computer security researcher released an application designed to demonstrated the kind of personal information that a malicious iPhone application could potentially harvest personal from unwary users (pdf). The disclosure came just two weeks after the first truly malicious iPhone worm was released for jailbroken iPhones.

So, are we're on the brink of a mobile malware pandemic?

Not necessarily, says MikkoHypponen, chief research officer for the Internet security company F-Secure, based in Helsinki, Finland. Hypponen has been collecting mobile malware specimens for the past 10 years. His count, so far, is 454 mobile viruses and Trojans since 2004. And, despite many security experts predicting that serious attacks against mobile devices are inevitable, Hypponen has observed the opposite trend. "Instead of getting worse, malware on mobile devices has been slowing down over the past two years," he says.

The main reason, Hypponen suggests, is that most phone platforms exercise more control over the applications they run than desktop computers do. For example, mandatory application signing for the iPhone means that programs can't run without authorization from Apple. Android's open platform doesn't use mandatory signing, but Google has designed a new security model for the operating system to minimize the damage that can be done by a malicious application.

Hypponen also believes that fragmentation in the phone market has hindered malware writers so far: no single mobile operating system dominates the way Windows does on the desktop, so it's hard for virus writers to know where to focus their efforts. Furthermore, he says, far fewer people have the sort of low-level knowledge of specific mobile devices that's needed to create successful malware.

However, Hypponen notes that the malware observed so far requires a user to install something malicious, instead of exploiting a vulnerability in the operating system itself. The real danger, he says, is when malware authors discover ways to attack a mobile device without that level of user participation.

"When that happens," Hypponen says, "everything we know about mobile malware will have changed."

As cell phones become more like pocket computers, many people are calling for closer scrutiny of their security. Such people usually point out that today's phones are a lot like the desktop PCs of the mid-1990s. Attackers can apply a huge body of experience from attacking desktop machines when looking for a way into mobile devices.

However, some experts argue that mobile phones are actually simple enough to be vulnerable to attacks originally designed for embedded systems.

"The phone is a very stripped-down environment," says Benjamin Jun, vice president of technology at Cryptography Research, a security research company based in San Francisco, CA. "Which means that someone who's trying to attack the device generally has an easier time, because it's not as complicated as a desktop system."

To demonstrate this, Cryptography Research adapted a smartcard attack for use against today's smartphones.

About a decade ago, the company found that a technique called differential power analysis would allow an attacker to extract the cryptographic keys from a smartcard by analyzing its patterns of power consumption. As it turns out, Jun says, the same type of analysis will reveal the cryptographic keys that a phone uses to access a carrier's network or to secure data stored on the device. In contrast, such an attack would be hard to pull off on a more complicated device, simply because a laptop, for example, would run more programs at the same time and produce a lot more noise.

The smartcard attack called for the attacker to be in possession of the object, but, in adapting it for smartphones, the researchers found a way to do the same types of calculations based on leaked electromagnetic signals picked up with an antenna.

Jun believes attacks on mobile devices are particularly serious because these devices are being used to access high-value corporate data.

But the bad news has a flip side. Jun notes that, just as attackers have experience exploiting vulnerabilities on embedded systems, manufacturers have experience developing countermeasures. Because embedded systems have even more limited memory and processing power than today's mobile devices, he thinks these countermeasures would be relatively easy to translate to smartphones.

"The main question is whether protections can be done entirely in software or not," Jun says. Entirely software-based solutions would be cheapest to roll out, he notes. Hardware countermeasures, however, are readily available and have already been shipped in millions of smartcards.