Security to Ward Off Crime on Phones By RIVA RICHMOND

 More consumers are buying smartphones. So more criminals are taking aim at those devices.

 Criminals still prefer PCs for stealing personal data, bank and credit card account numbers as well as for running frauds. However, most PC attacks focus on Microsoft’s decade-old Windows XP operating system, which is slowly being replaced by the more secure Windows 7. Over the next few years, hackers will have to find new targets. 

 With smartphones outselling PCs for the first time — 421 million of the hand-held computers are expected to be sold worldwide this year, according to market analysts at IDC — the long-predicted crime wave on hand-held devices appears to have arrived. According to the mobile-security firm Lookout, malware and spyware appeared on 9 out of 100 phones it scanned in May, more than twice the 4-in-100 rate in December 2009.

 In fact, the most practical rule for protecting yourself is to start thinking of the smartphone as a PC.

 Most malicious incidents on mobile devices involve bogus phone or text-message charges or rogue mobile applications, of which there are now more than 500 varieties, according to F-Secure, a Finnish security firm. All these ruses require users to take some kind of action, like clicking to accept or install a program, so caution while using mobile devices can prevent most problems. (However, experts warn that automated attacks are possible and could emerge in the future.)

 Most attacks happen in Eastern Europe and China. An overwhelming number — 88 percent, according to F-Secure — have singled out devices running Nokia’s Symbian operating system. Symbian is the world’s most commonly used smartphone platform, but Nokia said this month that it would be replacing it over the next few years with Microsoft’s Windows Phone operating system.

 Early attacks, like the Cabir and Commwarrior worms in 2004 and 2005, caused little damage. But since 2009, attacks have grown more menacing. In September, hackers trying to steal money from accounts at a Spanish bank installed malicious applications on Symbian devices when they synced to home PCs infected with a version of the ZeuS malware. The application enabled criminals to reply to security codes sent by the bank to validate cash transfers.

 Such assaults could be a preview of what is to come for devices popular in the United States. Criminals have attacked phones running on Google’s Android, Research In Motion’s BlackBerry, Apple’s iPhone and Microsoft’s Windows Mobile operating system software, suggesting that more is ahead.

 Some experts believe that Android will become a top target for malware because anyone can create and distribute an app anywhere on the Web. Google does not check apps for security issues but has instead imposed technical hurdles to thwart malicious activity. For instance, apps run in a “sandbox,” a closed environment where they cannot affect one another or manipulate device features without user permission. Google removes from its official Android Market any apps that break its rules against malicious activity.

 Ten attacks have been directed at Android users, including a malicious program called Geinimi that appeared in third-party Android app markets in China in December. This addition to legitimate applications, primarily games, allowed hackers to manipulate text messages, steal contact lists, place calls, visit Web sites and quietly download files.

 The attacks underscore the importance of exercising care when downloading mobile applications. Users should install apps only from sites they trust. They should research apps to ensure they are not malware. A smartphone is “a microcomputer in your hand, and you can have Trojans and worms and viruses like a PC can,” said Andy Hayter, anti-malcode manager at ICSA Labs, an independent security-testing firm owned by Verizon.

 The extra-cautious may also want to use a security product; free and paid products are available for all but the iPhone platform from major security companies like F-Secure, Symantec and Kaspersky as well as specialized providers like Lookout and DroidSecurity.

 Tighter controls on use of third-party software on mobile devices may help explain the limited number of attacks so far, says Mikko H. Hypponen, chief research officer at F-Secure. For instance, Apple’s more regulated environment has mostly kept trouble at bay.

 The only malware seen on iPhones occurred in 2009 and affected phones that had been altered to run software Apple did not authorize. A worm in Australia replaced the phone’s wallpaper with an image of the ’80s pop singer Rick Astley, in a prank known as rickrolling. There was also an attempt to blackmail people into paying 5 euros, and a worm that tried to steal account details from customers of a Dutch bank.

 Partly for security reasons, Microsoft in October shifted to a system for its new Windows Phone 7 that confined app sales to its own marketplace and issued guidelines to developers that tightened security and privacy requirements. Microsoft says it runs safety tests on every new app.

 Attacks that bill cellphones are the most promising way for criminals to make money, Mr. Hypponen says. Hackers are figuring this out, as shown by multiple frauds on Facebook asking people to fill out online surveys and provide cellphone numbers, which then receive monthly charges. Check your bills carefully for unusual expenses.

 BlackBerrys are rarely attacked because the devices are typically provided and controlled by security-conscious employers, and the phones are not commonly used in countries like Russia and China, the homes of many malware creators. The most widespread problem seen on BlackBerrys — and on other platforms — are commercial spyware programs like FlexiSPY, which are secretly installed by someone — usually a jealous spouse — who wants to track a phone owner’s location, listen to the calls and read text messages and e-mails.

 “You can even turn on the microphone remotely and listen to what’s being discussed around the phone, even if there’s no phone call taking place,” Mr. Hypponen said.

 Phishing is also a growing problem on all smartphone platforms. Such attacks, common on PCs, involve text or e-mail messages that appear to be from a trusted party, like a bank, that lead people to bogus Web sites where they are asked to enter personal data.

 Mobile users are three times more likely to fall for these scams than PC users, according to statistics on phishing recently gathered by one security company, Trusteer. The company believes that is because mobile devices are activated all the time, and small-screen formatting makes the fraud more difficult to spot. It cautions people not to click on Web links in messages.

 Confidential information can also be collected wirelessly if transmitted unencrypted over a public Wi-Fi network. Experts suggest avoiding transactions over airport or cafe networks.

 Losing a mobile device and the data inside remains the most likely risk to a smartphone owner. Experts recommend users lock devices with a PIN, so someone who picks it up cannot use it. It is also wise to install apps that can help locate a lost or stolen phone and, if necessary, wipe the data from it.

 Apple, Microsoft and R.I.M. provide free apps for their devices, and similar apps are available for Android and other phones from third parties, including F-Secure and Lookout.

 A last bit of advice as true for the desktop computer as for the smartphone: back up the data on your phone to your computer or an online service. That way, you’ll be able to recover quickly, whether your gadget has been lost, stolen or contaminated.

Anti-malware products:

DroidSecurity: Scans Android devices and apps, as well as Web sites you visit, for malware; blocks test-message spam; and offers tools for remotely locating, displaying messages on and wiping data from lost or stolen devices. A backup and restore service is in development. (Android only. Free basic version and $10 Pro app)

F-Secure: A suite of software that includes malware protection, a firewall, technology to keep you safe while browsing the Web, and tools for locating or wiping data off a lost or stolen phone.

(Android, Symbian and Windows Mobile; 40 EUR for one year.)

Kaspersky: Anti-malware, firewall, unwanted call and text-message blocking, anti-theft tools and a “privacy mode” that lets you hide designated contacts, calls and text messages.

(Android, BlackBerry, Symbian and Windows Mobile; $30 for one year.)

Lookout: Anti-malware, backup and restore services and tools for remote lock and wipe, including the ability to make the phone “scream” and scare a thief. Privacy tools help you research apps you’re considering downloading and risks associated with the ones you have already.

(Android, BlackBerry and Windows Mobile; free basic version and $30-a-year paid product.)

Symantec: Anti-malware, firewall, spam text-message blocking and remote lock and wipe tools.

(Android; free while in beta. Symbian and Windows Mobile; $30 a year)

Free anti-theft products:

Apple’s Find My iPhone: This feature of MobileMe is now available as a free app for iPhone 4 with iOS 4.2. It lets you display a message or play a sound on a lost phone and find the device on a map, set a PIN remotely or wipe all your content.

F-Secure Anti-Theft for Mobile: Locate and lock your Android, Symbian or Windows Mobile phone, or wipe the data if it’s gone forever. If the thief changes the SIM card, this tool will send you his new number.

Microsoft’s Find My Phone: A free service for Windows Phone 7 that allows people to locate a missing phone by displaying a message, playing a sound or locating it on a map. You can also lock a phone with a PIN or erase the contents remotely.

R.I.M.’s BlackBerry Protect (in beta testing): Enables users to wirelessly backup, restore and locate their BlackBerry on a map or with a sound, as well as to remotely wipe or lock the device.

©nytimes.com