The alert came in around 3 a.m. on May 2. The website of a pest control company was being something of a pest itself, harassing visitors into downloading a suspicious “security update.” Normally, a website spreading malware wouldn’t stir much excitement among computer security professionals. This was different: The virus-laden site targeted only mobile phones, not PCs.
To the founders of smartphone security startup Lookout, this was cause for alarm—and excitement. Hackers have long attacked mobile phones by hiding malware in apps. In this case, smartphones were infected by visiting a website. It signals the economics of hacking are changing, says Kevin Mahaffey, co-founder of Lookout. “Someone is actually forgoing the PC opportunity and choosing mobile instead,” he says.
Any event that raises the specter of cell-phone hacking could be a boon of sorts for the startup, which has built one of the nation’s biggest nets for catching smartphone attacks. Lookout gives away a basic version of its smartphone security app, which offers virus protection and a popular feature for locating a lost phone. It has 20 million users and is adding another million every month. Phones with the app act as beacons that communicate with Lookout’s servers to relay early warnings about mobile threats. The scale is an “enormous competitive advantage” for Lookout, says Mike Volpi, a partner with Index Ventures, which has contributed to the startup’s $76.5 million in funding.
Lookout began as a mobile-security company in Los Angeles nearly a decade ago, when people carried Motorola (MMI) Razrs, not Apple (AAPL) iPhones. Founders Mahaffey, John Hering, and James Burgess, who met as University of Southern California undergrads, had a knack for publicity. At the 2005 Academy Awards, they used an antenna to scan the red carpet and identify celebrities whose phones could be wirelessly hacked. They relocated to San Francisco in 2010 and now have 100 employees.
Lookout’s apps are free, but premium features such as the ability to remotely lock and erase stolen phones cost $2.99 a month. Hering says less than 10 percent of users pay, but that’s “a big number.” Lookout’s threat-detection features are almost entirely automated. Algorithms monitor data about phone usage across its network of apps. When computers spot an anomaly they alert an engineer, who adds the threatening app or website to a blacklist. The software automatically blocks traffic from those sources.
The data the company collects are valuable for more than just threat detection. As Lookout sniffs around for malicious activity, its software accumulates insight into how phones, apps, and networks are being used, which could be useful to cellular operators working to improve their networks, says Volpi, who sits on Lookout’s board. “Device health is extremely important,” he says. “Just like you’d use a monitor to see how your heart is doing, all that health information is superstrategic and you can build a great business out of it.” The startup already has some fans among carriers: T-Mobile (DTE:GR) preinstalls Lookout on most of the Android smartphones it sells, and Verizon Wireless uses Lookout’s technology to monitor its app store for malevolent software.
Still, a lot of current Lookout users don’t worry much about malware. They’re more interested in such features as Lookout’s phone-finding function, used 9 million times in 2011. (Lookout is far more successful with Android owners than iPhone users because Apple offers its own phone-finding service.) Jack Gold, president of J.Gold Associates, a market research firm, says many smartphone users ignore malware threats because there haven’t been many high-profile infections. “It’s like insurance,” he says. “People don’t buy insurance until their house burns down.”
Lookout’s founders light up when talking about security risks such as the pest-control site discovered in early May. The hackers behind the malware, dubbed “NotCompatible,” weren’t interested in stealing data such as passwords. They used victims’ phones to hide the tracks of their scams, which included using stolen credit cards to buy Red Hot Chili Peppers tickets and shop on Apple’s App Store. The Lookout guys warn that the next mobile malware attack could involve something more dangerous than seeing Anthony Kiedis wearing only a tube sock.