Maybe your smartphone isn’t so smart after all.
Millions of smartphones and other mobile devices are vulnerable to malware that can steal passwords, drain bank accounts and even eavesdrop on users. But a small tech firm funded by a Pentagon research grant has developed a program to help protect smartphones, and it can be downloaded for free.
X-Ray, the security program financed by the Defense Advanced Research Projects Agency, was unveiled this week by Duo Security Inc., a Michigan-based start-up company.
“Anyone can download X-Ray from the Internet at xray.io,” said Brian Kelly, a spokesman for the company, adding that 8,000 people already have downloaded and used the package.
Smartphones such as the Droid and tablets such as the iPad are basically just small computers. As their use has spread, so has the malicious software designed to allow hackers to steal email, bank log-ins or other data — and even turn on the phone’s microphone and eavesdrop on its user.
Nearly half of all mobile-phone users in the United States last year had smartphones, according to Nielson.com, but few realize how vulnerable they are. Worldwide, there are more than 400 million mobile devices using the popular Android operating system, which is produced by Internet search giant Google Inc., according to the company’s website. Within five years, there will be 2 billion mobile devices across the globe, according to Ovum Research.
In 2011, security researchers identified 8,000 kinds of malware designed to infect mobile devices, “almost all of it” aimed at Android, according to Anup Ghosh, a research professor at George Mason University in Northern Virginia.
“A lot of it is cybercrime,” said Mr. Ghosh, referring to so-called Trojan Horse or keylogger infections that record log-ins and passwords for bank, social media and email accounts to allow hackers to steal money, data or identities.
“There is also a lot of espionage in the industrial sense,” he said, citing efforts to spy on or hack the email of U.S. business executives.
Fraud follows the money
Researchers in Europe have identified malware that surreptitiously forces smartphones to make calls or send text messages to premium rate lines, racking up income for the crooks who own the numbers and huge bills for the consumer, according to Sorin Mustaca, product manager at German computer-security firm Avira.
“The problem is big and getting bigger every day,” Mr. Mustaca said.
According to Bank News.com, 50 million Americans now are using smartphones for mobile banking. The business research firm Gartner Inc. says the total value of mobile banking transactions globally will be more than $171.5 billion this year.
“Where there is money, there is fraud,” Mr. Mustaca said.
Hundreds of security and anti-virus programs are available for laptop and desktop computers, and users generally can download software patches to fix known security flaws or weaknesses in the other programs they use.
But the situation is different on smartphones and tablets.
Although there are security products available for Android devices, wireless carriers customize the operating system for their own phones, making conventional anti-virus products less effective, Mr. Mustaca said.
The fact that each carrier uses its own version of Android also means that phone users cannot just download patches and update their system, as computer users can.
“The [wireless] carriers have to push the updates out,” said Mr. Ghosh.
“They are really, really bad at that,” Mr. Mustaca said, “The providers are more interested in selling users a new phone than in updating software on older versions.”
The X-Ray application is not a security system, per se. Instead it scans the operating system software on any Android device to let users know if they have the latest and most secure version.
“The idea is to bring visibility to known, unpatched vulnerabilities [in Android systems] to put the power in the users’ hands,” said Mr. Kelly, the Duo Security spokesman.
X-Ray also will send information back to Duo Security about the type and make of phone, the software version it is using and the wireless carrier, Mr. Kelly said.
“We are not going to share this data, except in aggregate form,” to show which carriers are best at keeping their customers’ devices updated, he said. He added that no personal information will be collected.
“We’re being as transparent as possible about the data we’re gathering and why,” he said.
X-Ray was funded as part of a $32 million DARPA program called Cyber Fast-Track, designed to fund hundreds of small cybersecurity research projects. Small companies and individuals submit ideas and can get approval in as little as seven days.
By last month, Cyber Fast Track, launched in November last year, had funded 60 such projects, according to DARPA spokesman Eric Mazzacone.
• Researcher John Haydon contributed to this article.
• Shaun Waterman can be reached at swaterman@washingtontimes.com.
Please read our comment policy before commenting.