Cyber criminals are reaching a level of sophistication when targeting smartphones previously only seen in desktop computer attacks.
Mobile security research firm Lookout revealed findings on Thursday showing hackers can now effectively turn Android phones into so-called botnets, a compromised device that can be used to communicate with other infected devices for nefarious purposes.
The company estimates between 4 million and 4.5 million phones in the U.S. have been turned into botnets this year as a result.
For years, cybersecurity experts knew malware targeting smartphones was a growing threat as the Internet-connected devices became more ubiquitous.
Lookout thinks this malware shows the threat has finally taken a dangerous jump.
The malware has been getting onto smartphones by first infecting a legitimate website. When users visit that website from their phone, they unwittingly download the malicious code.
This particular strategy is “one of the first times hacked websites were used at a large scale to specifically target and infect mobile devices,” said Tim Strazzere, Lookout’s lead research and response engineer, in a blog post.
The malware behind it, dubbed NotCompatible, was initially “compelling threat” when the company started tracking it two years ago, Strazzere explained. But NotCompatible has evolved.
The newest iteration “set a new bar for mobile malware sophistication and operational complexity,” Strazzere said. “This malware is a prime example of how mobile malware complexity is advancing and is borrowing technical tactics already seen in PC malware.”
National Security Agency Director Michael Rogers sees mobile hacking as a Top 3 concern in 2015.
“The greatest growth these days” in cyberattacks “is not in the corporate fixed, large-network structures,” he testified before the House Intelligence Committee on Thursday.
“We are all turning to mobile digital devices as vehicles to enhance our productivity,” Rogers added.
That makes those devices a desirable target for hackers.
Lookout said the hackers behind the malware are renting out the infected devices to criminals who then conduct large-scale scams — from buying up tickets in bulk to sending out more spam.
“We expect more of this type of sophistication in mobile malware,” Strazzere said. “Mobile malware maturity is here.”