The open source nature of Android means it is open to attack from cyber criminals with thousands of amlicious apps already showing up, but one expert is trying to spread the word about this threat and hoping someone will take notice.

Trend Micro's Rik Ferguson
Mobile security evangelist Rik Ferguson believes this is only the beginning for malware on your smartphone and tablet.

Rik Ferguson is a not what you might expect from a security analyst. He is an odd combination of a security evangelist, long-haired rocker and tattooed preacher, but when he begins talking passionately about the threat posed to smartphones and tablets by mobile malware, you have no choice but to take notice.

A recent survey by Ferguson's employer, Trend Micro, revealed that there was 5,000 new malicious apps found in the Android store in just three months, but this, according to Ferguson is just the beginning, as he is predicting there will be as many as 130,00 by this time next year.

While the inherent open source nature of Android means it is a natural target for cyber criminals, the saem cannot be said for Apple's platform, which is so far malware free, according to Ferguson.

"There is no [criminal] malware whatsoever that would affect a non-jailbroken iPhone. The fact is, when you jailbreak a device, you disable some very key security mechanisms." While security researcher Charlie Miller did manage to bypass Apple security and get an app into the official App Store which exploited a security flaw, Apple has now fixed this vulnerability.

One of the issues facing secutiry firms is getting users to change their mindset when it comes to installing software on their phones. Some security experts we spoke to said that no matter what they did, if people wanted to turn off their anti-virus software and install unknown software on their devices, there was little they could do about it. Ferguson has a less fatalistic outlook:

"Definitely what we do makes a difference, and not just what we do in terms of products, but the things we say and where we say them and how we say them, can make a difference."

Google Android malware

Charlatans and Scammers

In November of last year Google's open-source program manager, Chris DiBona, launched what Ferguson calls a "outburst" and a "diatribe" on his Google+ page against security firms which offer mobile security software. He called such companies "charlatans and scammers" adding: "If you work for a company selling virus protection for Android, RIM or iOS you should be ashamed of yourself."

DiBona argued: "No major cell phone has a 'virus' problem in the traditional sense that windows and some mac machines have seen. There have been some little things, but they haven't gotten very far due to the user sandboxing models and the nature of the underlying kernels."

Obviously Ferguson disagrees, and points to the release of Bouncer, a Google security feature for the Android Market (now Google Play) which was released only a few months later. Google even announced in February this year that Bouncer had reduced the amount of malware in Google Play by 40 percent.

"Publicising that there is a problem and that some of it is inherent to the system, can help change systems," Ferguson told IBTimes UK following a demonstration at the Info Security conference taking place in London this week.

During his presentation, Ferguson used a non-rooted Android phone to show how a piece of mobile malware which is freely available in China, and which can be made to look like a regular app in Google Play, can be easily downloaded to any number of phones and tablets. This app then works in the background to intercept any SMS messages coming through to the phone without the users' knowledge.

The owner of the software can then send messages to the phone in question, telling it to carry out a range of tasks such as taking a picture with the camera, sending emails, or even calling specific phone numbers. The criminal can also get all the information it has collected on the infected phone, instruct it to be put into a zip file and uploaded to an online account.

Mobile Malware

More Powerful Mobile Malware

Mobile malware has the potential to be even more powerful than traditional PC-based malware. This is because of the inherent traits of smartphones and tablets which almost all include cameras, GPS, constant internet connectivity, and are as equally if not more powerful than the traditional desktop PC we have sitting on our desks at home.

However, no matter what security firms and Google do to make Android a safer place to be, the end user has the final say as to how safe their system is: "Security technology can go some way to keeping you secure as a user, but if you chose to do inadvisable things, then you increase your level of risk. There is no silver bullet."

The problem with this is that most smartphone users don't pay enough attention to the permissions they are granting apps they download to their smartphones and tablets. Even the best known apps request permission to access and upload your contacts, email and text messages.

Ferguson pointed out that because of the permissions you agree to when downloading both Flickr and Facebook, if they wanted to, they could legally access your phone's camera, and begin taking pictures and uploading them to their servers.

Ferguson admits that the security industry has not done itself any favours in the past. Certain companies have relied on marketing through what is known as FUD (fear uncertainty, doubt) where those companies preyed on the fear of customers who didn't really understand what the threat was.

The security industry has been prophesising about mobile malware for a number of years now but until the last six months, they have been seen by some, including DiBona, as crying wolf.

"It is my personal belief that honesty is the best policy. If you are aiming to educate someone you should give them the facts as they stand, and help them to form their own opinion," Ferguson said.

The security analyst believes Google needs to learn the hard lessons which Microsoft learned with its Windows platform back in the 1990s. "Microsoft, because they were commercial pioneers, they had to learn a lot of painful lessons. Cybercrime grew up with Microsoft, and they've set some really good examples over time. They set some really bad ones in the early days of Windows but they learned from it and those are lessons I hope Google can learn."

Ferguson believes that like Microsoft, Google will be forced into changing its policies and be more proactive in the future than it has been in the past. Ferguson is committed to spreading the word regarding mobile malware, but whether people take any notice is another matter.