Cyberattacks that commonly had targeted computers are zapping
smartphones and tablets, prompting security experts to urge Google and
Apple to do more to slow their spread.
"The drive to push new tech products out the door
has always trumped security, and now that mind-set has moved to the
mobile platforms," says John Pironti, an adviser at ISACA, a group for
information systems professionals.
After a recent attack, Google last week removed
25 corrupted applications from its Android Market, but not before up to
125,000 Android users downloaded the bad apps, says Kevin Mahaffey,
chief technical officer of Lookout Mobile Security.
On each Android phone with these apps, the
attacker can connect to a remote server when a voice call is received,
then download other malicious programs to the phone, Mahaffey says.
Mikko Hypponen, chief researcher at Finnish
anti-virus firm F-Secure, says he has monitored "several dozen cases
targeting Android over the past 12 months."
Apple's App Store for iPhones and iPads has been only lightly probed by hackers — showing a difference in its security approach, experts say.
Google has made it easy for any developer to post
an app in Android Market and relies on users to supply feedback about
"Their market is very open and lightly vetted, if at all," says Kurt Baumgartner, senior researcher at Kaspersky Lab. "When there are enough complaints … Google has the ability to pull the apps, which it has sparingly done."
"If Google allows it into their app store, then
they should take some responsibility for the integrity and security of
the code," says ISACA's Pironti, who is also president of IP Architects.
Google should also step up efforts to streamline
its cumbersome process for pushing out Android security patches,
Mahaffey says. "Many Android handsets are not patched against the latest
security flaws." Google spokesman Randall Sarafa declined to comment.
Apple, by comparison, keeps tight control over
its App Store. "Apple performs its work quietly and without discussion,"
Baumgartner says. "But malicious apps have appeared and are pulled as
well, so their process of vetting is not perfect."
Another Apple shortcoming: To get security patches, iPhone users must sync handsets to iTunes on a Mac or PC.
"It's only a matter of time before iPhones and iPads become more of a target," Pironti predicts.