Cyber thieves profit via the mobile in your pocket

Media playback is unsupported on your device
Media captionKevin Mahaffey from Lookout mobile security demonstrates how mobile malware works

If you want to steal money by picking pockets then you face weeks if not months of work to perfect the skill of lifting wallets, watches and purses without your victim realising.

Unless, of course, you decide to profit by taking cash from the phones in people's pockets. You could learn how to do that right now. If you can click a mouse button twice you can create a malicious computer program that can steal money from a smartphone.

The two-click fraud system is hosted on a website based in Russia which lets anyone who signs up create mobile malware.

With their first click, wannabe cyber criminals decide their target audience (among others they can choose to hit users of Facebook, Skype and Opera) then click again to pick a web address on which a malicious program will lurk.

The only hard part of the process is spamming out enough messages to get people visiting the booby-trapped site. Anyone that does visit will reach a page that hosts an app that looks official, inside which lurks code that can steal cash via premium rate SMS services.

The site was shown to the BBC by Kevin Mahaffey, chief technology officer of security firm Lookout. He said the site was one of a growing number which were "industrialising" the creation of mobile malware.

"As more and more people around the world are adopting smartphones and using them to download apps, bank, and conduct business, there's more and more of an incentive for criminals to attack phones like they've attacked PCs in the past," he said.

Crimeware kits, which let novice cyber thieves crank out their own viruses with a few mouse clicks, have been behind the huge rise in the number of malicious programs that plague PCs.

Now, said Mr Mahaffey, such kits were starting to be made for mobile malware.

"The good thing about these sorts of malware sites is that they are not extremely sophisticated in the way the malware is constructed," he said. This made the malware relatively easy to spot and block.

What criminals liked about mobiles, said Mr Mahaffey, was their intrinsic connection to a payment plan. This made it far easier to siphon off cash than with PC viruses.

"All phones that have access to SMS are able to charge money to their phone bill via premium rate SMS and that's one of the top vectors we see of criminals trying to steal money," he said.

Almost 70% of the millions of scams Lookout sees every month try to steal cash by surreptitiously racking up premium-rate charges, he said. Malicious apps made it hard for people to realise they were being scammed, he added, because they could work surreptitiously while phone owners used a different application.

Junk messages

Alongside the growth in mobile malware is a rise in junk or spam text messages being sent to phones - many involving fake offers in an attempt to sucker the recipient into revealing their credit card number.

"We've seen a 300% rise in the spam processed year-on-year in mobile," said Chris Barton, senior director of research at message filtering firm Cloudmark.

In Europe, about 2.25 billion junk mail text messages are sent every month, suggest statistics from Cloudmark. This is dwarfed by the billions of junk mail messages sent every day via email but scammers like mobile spam because junk sent to a phone is more likely to be opened, he said.

Analysis by Cloudmark suggests that less than 25% of the junk mail messages sent via email that get through filters are opened. Worse, from the spammers' point of view, it can take up to 24 hours for those messages to be seen. By contrast, more than 90% of junk sent to mobiles will be seen by a phone owner within 15 minutes of the message being received.

Ciaran Bradley, head of handset security at Adaptive Mobile, said the amount of spam mobile owners received varied widely depending on where they lived. In some countries, such as India, it was not uncommon to get up to 40 junk text messages a day.

In other places such as the UK, he said, getting one or two junk mail messages was seen by most people as too many.

"SMS spam is a lot more invasive if you are not used to it," he said.

As well as sending more spam in different countries, scammers were also tuning their campaigns to the different devices in those nations.

For instance, said Mr Bradley, in Africa many scams were centred around mobile banking and credit transfers to capitalise on the greater use of those technologies in that region.

Image caption Many scammers abuse the open nature of Google's Android phone operating system

In places where smartphones were more predominant, fake or booby-trapped apps were getting increasingly common. Google's Android operating system for phones was proving particularly popular, he said, because it was relatively easy to take applications apart, add in some malware, re-compile them and then put them on an unofficial marketplace in a bid to snare victims.

There was a particular problem in China, said Mr Bradley, as there was no official market place to acquire apps for Android phones. As a result, he said, many people were visiting rogue marketplaces and finding fake or booby-trapped apps.

Google was starting to do a better job of policing Android apps, said Mr Bradley, and had cracked down on those programs that produced adverts that looked like system messages in a bid to trick people into clicking on them.

But, he said, there were straightforward ways to stay safe.

"For most people, if you stick to the official marketplaces, the chances of getting hit by malware are pretty small."

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites