According to a recent report from San Francisco-based startup Lookout Mobile Security, three out of 10 Android phone users will encounter a web-based threat on their device this year. The report also says that Android users are 2.5 times more likely to encounter malware today than they were six months ago. An estimated half million to one million people were affected by Android malware in the first half of 2011.
“On the PC, you have to hack someone’s account or get access to their credentials,” says Kevin Mahaffey, co-founder and CTO of Lookout, which sells a security app that protects your phone if it’s lost or stolen and blocks phishing and malware sites. “On mobile it’s much easier for the bad guys to make money. They can directly monetize by charging to a user’s phone bill.”
Of course, Android is not the only mobile operating system that the “bad guys” are targeting, and Lookout isn’t the only company trying to capitalize on the growing security threats on cell phones. Apple’s (AAPL) iOS and other platforms are not immune to malware, though reports like Lookout’s suggest malicious applications have been most common on Google’s (GOOG) popular Android OS. It now claims almost 50% of the worldwide smartphone market. According to Lookout, the number of Android apps infected with malware rose from 80 to 400 in the first half of this year. Just this week, researchers at enterprise software vendor CA Technologies said they uncovered new Android malware that can actually record conversations on infected phones.
“Apple is a closed ecosystem, but Google’s different,” says Ed Amoroso, chief security officer at AT&T (T). “Google opened up the marketplace and once you open things up the security threat increases significantly.”
So what’s the right approach to mobile security? Not surprisingly, AT&T says the answer to the security problem is in the network. Amoroso heads up a Manhattan-based lab of about 40 researchers who are working on a mobile security product that AT&T hopes to sell to both enterprise customers and consumers.
“With mobility, the device is a small part of the experience and the network is a big part of the experience,” says Amoroso. “That’s bad in the sense that when the experience is lagging we take it on the chin, but it’s also great because it gives us the opportunity to enhance the security.”
Naturally, AT&T’s not the only carrier hoping to get into the mobile security market. At the recent Fortune Brainstorm TECH conference, Verizon Wireless (VZ) announced it would partner with Lookout to detect mobile threats on its V Cast App Store. Big-name security companies like McAfee and Symantec—who made their mark selling antivirus software for PCs in the 90s—have also come out with security features for phones.
And then there’s Google, which says it has made significant efforts to “minimize the security risks on Android” by scanning incoming applications for malware. It also works with its hardware and carrier partners to push security patches when a malicious app does make it into the Android Market.
“Security is a priority for the Android team,” Google said in a blog post last March, after a number of malicious apps became available in the Android Market. “And we’re committed to building new safeguards to help prevent these kinds of attacks from happening in the future.”
In the meantime, Lookout’s recent report says attackers are using new techniques like “malvertising” and upgrade attacks to take control of users’ phones, personal data, and money. “There’s no silver bullet in security,” says Lookout’s Mahaffey. “The malware problem is so hard, that it will take participation from everyone in the ecosystem.”
Competition from everyone in the ecosystem may be more like it, but either way it’s still early days for mobile security software.