Your smartphone will (eventually) be hacked

The security risks in paying by smartphone
The security risks in paying by smartphone

Security experts have warned for years that our smartphones are due for a major cyberattack. Like PCs back in the early days -- the 1990s -- mobile phones are largely unprotected by antivirus software, and they're a treasure trove of valuable information.

So why hasn't the smartphone Armageddon happened yet?

Basic economics is one reason. Cyberthieves are making so much money attacking Windows PCs that there hasn't been much incentive to change tactics. It's hard to track down exact statistics on how much money is stolen each year through cyberattacks, but most security experts put the dollar figure in the billions. One single, recent hack that Verizon (VZ) investigated -- debit card numbers stolen from merchants through secretly installed keyloggers -- resulted in a loss of $20 million.

Microsoft (MSFT) Windows is still the low-hanging fruit. With 92% share of the PC market and a two-thirds share of all Internet-connected devices, Windows is the obvious target to attack if you're a hacker looking to make money.

We're about to hit a tipping point, though. Most people still do their online banking and shopping on their PCs, but those transactions are happening on mobile phones more frequently. Where money goes, cybercrooks follow.

Here are the scary numbers: Cyberattacks on mobile phones rose by a factor of six this year, according to Intel (INTC) subsidiary McAfee. Four in 10 mobile users will click an unsafe link on a smartphone this year, according to Lookout Security.

Yet less than a fifth of the devices run any antivirus software, according to security research organization SANS. An RSA study shows we're much more likely to click on phishing attacks on mobile devices than we are on PCs.

Still, not even one major cyberattack has hit smartphones. What's up?

The good news is that developers learned from the industry's long history of cybersecurity debacles. Smartphone operating systems were built from scratch fairly recently -- not much legacy code here -- and were designed with strong security protections. Though it's possible, it's incredibly difficult to attack a device through one program and then own an entire phone.

Fragmentation is also an unexpected protection. With so many different varieties of Google's (GOOG) Android operating system out there, it's hard to write the right code for a wide swath of devices.

Even users of Android -- the target of almost all mobile malware -- are far less susceptible to attack than PC users. The growth in mobile threats is dramatic, but the 13,000 different kinds of mobile malware McAfee has found this year is still teeny compared with the 90 million threats it detected for PCs.

Still, experts say it's just a matter of time before mobile catches up.

"The money is in mobile, and that's where they're moving," said Stu Sjouwerman, CEO of KnowBe4, a security training company. "Malware on mobile phones is going to be as prevalent as on the PC. It's inevitable, unfortunately."

Smartphones have become personal computers that travel around with us at all times. Mobile attacks are difficult, and the smartphone space may never be as homogeneous as the PC market, but crooks follow the cash. As smartphones become our primary devices, the cybercriminals' motivation for targeting them grows. All it will take is one slip up by Apple (AAPL) or Google.

"What will happen is one of these smartphone makers will release a new OS or browser, and there will be a hole," said Alan Wlasuk, the managing partner of WDDInc., a software development company. "An attacker will exploit that. That's going to happen for sure."

CNNMoney Sponsors