For example, in a phishing attack on a desktop, there are clues that tell you it's an attack — you can see the full URL of where you're at or hover over a link to see where it goes. "On a mobile device, you can't hover so you never know the actual URL you're going to when you tap it," Chiu said.
"And when you go to a URL," he continued, "many mobile devices have a feature called auto hide in order to give you the most real estate on your little screen as possible. That hides the URL so you don't know where you are."
Despite the attention mobile devices are grabbing from cybercriminals, it may take a watershed event to bring the point home to the public. "We'll have a big problem when the first widespread Apple malware occurs that is financially targeted," said Ken Baylor, a research vice president for NSS Labs.
"While Apple has the ability to yank bad applications once they're installed as we saw in the recent $45 million ATM fraud scam, the things you can do in eight to 12 hours are pretty amazing," he told CSO.
Sign up for Computerworld eNewsletters.