by Byron Acohido
June 5, 2011
Cyberattacks that commonly had targeted computers are zapping smartphones and tablets, prompting security experts to urge Google and Apple to do more to slow their spread.
"The drive to push new tech products out the door has always trumped security, and now that mind-set has moved to the mobile platforms," says John Pironti, an adviser at ISACA, a group for information systems professionals.
After a recent attack, Google last week removed 25 corrupted applications from its Android Market, but not before up to 125,000 Android users downloaded the bad apps, says Kevin Mahaffey, chief technical officer of Lookout Mobile Security.
On each Android phone with these apps, the attacker can connect to a remote server when a voice call is received, then download other malicious programs to the phone, Mahaffey says.
Mikko Hypponen, chief researcher at Finnish anti-virus firm F-Secure, says he has monitored "several dozen cases targeting Android over the past 12 months."
Apple's App Store for iPhones and iPads has been only lightly probed by hackers — showing a difference in its security approach, experts say.
Google has made it easy for any developer to post an app in Android Market and relies on users to supply feedback about security problems.
"Their market is very open and lightly vetted, if at all," says Kurt Baumgartner, senior researcher at Kaspersky Lab. "When there are enough complaints … Google has the ability to pull the apps, which it has sparingly done."
"If Google allows it into their app store, then they should take some responsibility for the integrity and security of the code," says ISACA's Pironti, who is also president of IP Architects.
Google should also step up efforts to streamline its cumbersome process for pushing out Android security patches, says Mahaffey. "Many Android handsets are not patched against the latest security flaws." Google spokesman Randall Sarafa declined to comment.
Apple, by comparison, keeps tight control over its App Store. "Apple performs its work quietly and without discussion," says Baumgartner. "But malicious apps have appeared and are pulled as well, so their process of vetting is not perfect."
Another Apple shortcoming: To get security patches, iPhone users must sync handsets to iTunes on a Mac or PC.
"It's only a matter of time before iPhones and iPads become more of a target," predicts Pironti.
Apple also declined to comment.
