Carrying a smartphone is almost like having a powerful PC in your pocket. Most of the smartphones sold today have all the bells and whistles—a camera, online access (including email), keyboards, personal organizers, and other features you'd find on your laptop or desktop. But with the power and convenience of these intelligent mobile devices that we just can't live without, come a host of security threats. And, the smarter these phones become, the more vulnerable they will be to the same types of threats that plague our laptops and desktops.

The most common operating systems used by smartphones and personal digital assistants (PDAs) are Microsoft Windows CE and the Symbian OS. Microsoft has an open source policy with Windows CE, so adopting this operating system has been an attractive option for smartphone device manufacturers. At the same time, precisely because the code is open source, malware writers are seizing the opportunity to concoct exploits for mobile devices. Developing software under Windows Mobile and Win32 is very similar, so it's easy for authors of Win32 malware to transition to mobile malware.

The most significant threats to smartphones are in four areas, though there are others.

Text messages
Just about everyone does it—teenagers, professionals, and soccer moms—but few are aware of the risks associated with text messaging. Researchers at McAfee Avert® Labs have observed examples of short message service (SMS) phishing (also known as SMiShing), which is on the rise. One example is malware that uses the text messaging APIs to send fake messages to your contact list–similar to email spoofing. If you trust an incoming message based on its telephone number, then you’re vulnerable to anyone in your contact list whose mobile phone has been infected by a virus, which can easily send spoofed messages. And, it’s hard to tell if the message is malicious.

Contacts
Your contact list is probably the single most valuable asset on your smartphone, especially if you're a corporate user. Theft of corporate contact data could have dire consequences for employees and their employers. As we already mentioned, mobile viruses can "steal" a contact list and send out short messages containing a virus. It would be even worse if the malware packed your contact information and sent it to a malicious third-party! Many smartphone users take advantage of the phones' contact backup tools, which typically use programming calls such as IPOutlook, ItemCollection, IFolder, and IContact from the Pocket Outlook Object Model API Interfaces in the Windows Mobile SDK API. Malware developers could easily use these tools to procure and modify contact information and send the results to someone else.

Video
Who doesn’t enjoy the spontaneity of being able to snap photos or capture a video with a smartphone? Yes, even these features are now susceptible to various forms of malware. Through Microsoft’s APIs, mobile malware could conceivably take over the phone and use the camera to snap photos, though it would probably be difficult to get a good angle. But, the probability of automated exploitation using the camera is pretty low. However, the security of the photos and video already on the device is much easier to exploit. A virus could search for all JPG files through the file API and send those files to a malicious third party via the wireless network. Although the images can be large, there's generally plenty of bandwidth available in any country with a widespread 3G mobile network.

Phone transcriptions
What if your mobile phone were to suddenly turn into a tape recorder? Using the mobile voice-recording API, a virus could indeed change a mobile into a tape recorder. Microsoft applies the Waveform Audio Functions to record and play Wav files, according to the Windows Mobile SDK. Smartphones have limited storage space, however, so malware cannot record indefinitely. But, it could send the recorded file to an attacker via email or via the Multimedia Message Service (similar to SMS). If the attack were combined with the SMS interception technology we’ve already discussed, the malware could use SMS to activate the recording function, turning a mobile into a tape recorder that could be turned on and off remotely.

Everyone loves the convenience of smartphones. But because of the many APIs available for the Windows Mobile operating system, lack of security awareness, and the powerful promise of financial gain, malware writers continue to create viruses. The majority of today’s mobile malware doesn’t present a significant risk, but we can’t let our guard down. Right now, we’re in the early stages. It will probably only get worse, so it’s essential to exercise caution. The best way to protect your smartphone is to be proactive and keep malware off in the first place.