Skip to Content

Clues Suggest Malware Is Moving from PCs to Mobile Devices

Researchers report signs that moneymaking malware common on PCs is being adapted to mobile phones and tablets.
March 4, 2013

The fact that smartphones and tablets don’t need antivirus software or regular software updates is a major reason for their popularity. That could soon change, however, as security companies report evidence that criminals are getting close to finding efficient and profitable ways to compromise many mobile devices at a time.

smartphones with error messages

If that happens, many more people would be exposed to mobile malware, and Apple and Google could be forced to regularly push out security updates for their mobile operating systems just as Microsoft does for Windows.

Smartphones and tablets don’t support the kind of criminal ecosystem associated with desktop and laptop computers. With PCs, people make money by using malicious Web pages and weaknesses in browsers and other software to install malware that steals login details or sends spam.

Criminals haven’t yet figured out a reliable business model for mobile, says Chris Astacio, a researcher at security company Websense. So far, attacks on mobile devices have been limited by the need to distribute malicious apps through mobile app stores, where Apple and Google take measures to screen out malware and quickly remove anything that does slip through.

Astacio believes that attackers will soon deliver mobile malware through Web pages instead, essentially the same approach that drives most infections on conventional computers. In a presentation last week at the RSA security conference in San Francisco, he reported evidence that the software currently causing most infections on laptops and desktops—according to figures from both Websense and another security company, AVG—could soon target mobile devices, too.

That software is Blackhole, which Astacio is investigating. It’s an example of an exploit kit, a package used by criminals to install malware onto people’s computers when they visit a compromised Web page. Blackhole, found on some NBC websites last month, assesses a victim’s computer so as to covertly offer them malware they are vulnerable to. The kit is an efficient way to distribute moneymaking malware at large scale.

While reverse-engineering the latest version of Blackhole, Astacio noticed that the software now specifically looks out for iPhones, iPads, and Android devices. Astacio believes Blackhole’s developers are preparing to target mobile devices with malware that can take control of a phone or tablet through its mobile browser.

“This all comes down to efficient hacking for mobile attackers—you already have the infrastructure set up for exploit kits to profile and target mobile devices,” says Astacio. “Mass mobile compromises seem to be the natural progression.”

Jaime Blasco, who leads the malware research labs at security company AlienVault, agrees with Astacio’s gloomy prediction. “The bad guys haven’t found the right way to get money from the user,” he says, “but probably it will happen.”

Mobile operating systems, particularly Android, are not particularly difficult to make malware for, says Blasco, and there are signs that criminals are working to adapt methods used to target PCs. “We have found samples of Zeus and SpyEye on mobile,” he says. Those are two common malware packages that have infected millions of desktops and laptops and that steal banking credentials. Blasco says that he believes so-called “ransomeware,” software that locks up access to data and demands payment to release it, will appear on mobile devices, too. Personal data on smartphones such as contact books, text messages, and photos could be a lucrative target.

Some malware for mobile devices has already appeared that could have a significant impact if coupled with the large-scale distribution offered by Blackhole. An Android app found recently by security company TrustGo on 100,000 phones in China spends victims’ money by abusing an SMS-based payments system. It was distributed and infected 100,000 phones in China through an alternative to Google’s app store popular in the country. Last fall it was found that some Samsung Android phones could be taken over through their browser, and other researchers have demonstrated similar attacks (see “How a Web Link Can Take Over Your Phone”).

Kevin Mahaffey, chief technology officer and cofounder of mobile security company Lookout, believes that new, profitable malware will eventually force Apple and Google into copying Microsoft’s approach to protecting its Windows operating system. In 2005, the company released a reinvented update tool for its operating system, which at the time was troubled by frequent new security problems. “Microsoft stopped everything to build Microsoft Update,” now a core part of Windows, says Mahaffey, and created a sophisticated workflow able to act quickly to patch new problems.

Apple and Google currently issue patches for their mobile operating systems only a handful of times each year, so many people can remain exposed to a vulnerability even long after a fix has been developed. Updates to Android devices are particularly rare because mobile carriers choose when to pass along Google’s latest upgrades to their users and many often choose not to.

“To constantly have to update those devices is a business decision they don’t want to have to make,” says Astacio. 

Keep Reading

Most Popular

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.