Security experts watching closely for any sign that sophisticated cybercrime was making the leap from the personal computer to the smart phone caught a stunning one this fall.

A potent new variant of an infamous piece of malicious software was attacking Symbian and BlackBerry phones in a multilevel scheme designed to thwart the defenses of banks.

Cyberthieves apparently used familiar methods to snatch banking customers' online log-ins and passwords, and then tricked them into revealing their mobile numbers, according to an analysis by Spanish security firm S21sec. The customers received seemingly innocuous text messages with links that, when clicked, would install software that allowed hackers to view subsequent texts.

This enabled them to intercept the codes that increasing numbers of banks send to phones to authenticate online financial transactions. That potentially meant the attackers could cue up a transaction, wait to see the code pop up, and then drain the account.

The FBI said in October that an organized-crime ring had used one version of the malware, known as Zeus Botnet, to pull $70 million from bank accounts. It's unclear how much harm the mobile variant inflicted, if any, before it was discovered and addressed.

But its mere appearance set off alarm bells for security professionals, who have long feared the damage that could be done through smart-phone cyberattacks. While no high-cost or wide-scale breaches of mobile devices are yet known, the discovery of the Zeus strain, other limited attacks on phones and a series of vulnerabilities uncovered by researchers indicate that the threat level is rapidly rising.

"The Zeus bug was a wake-up call," said Eric Monti, senior researcher at Trustwave, a Chicago information security firm. "We've seen a huge rise in malware attacks against (technology) infrastructure, and desktops in particular. What we're going to see soon is a similar surge in mobile malware."

MBA BY THE BAY: See how an MBA could change your life with SFGATE's interactive directory of Bay Area programs.

The reason is money, he and other security professionals say. There's a growing list of motivations for profit-minded hackers to find ways to infiltrate the devices, including the widening use of smart phones, increasing dominance of particular operating systems, growing capabilities of the always-connected gadgets and accelerating use of mobile financial applications.

Meanwhile, the troves of personal information that flow through the devices mean that when innovative attacks succeed, the stakes may be very high.

DoCoMo 911

Starting in the spring of 2000, thousands of Japanese customers of NTT DoCoMo Inc.'s early Internet service for mobile phones were tricked into downloading a Trojan horse. It hijacked their handsets and forced them to dial 110, Japan's emergency number.

DoCoMo 911, as the attack became known, overloaded switchboards, preventing real emergency calls from getting through.

It was one of the most alarming assaults on phones so far, and prompted security experts at the time to warn of a dawning era of mobile attacks. It hasn't happened - yet.

The 10 years since the DoCoMo incident have been relatively quiet on the mobile security front. Phone hacks have been mostly limited to the bragging-rights variety or small-scale for-profit attacks, even as malicious hackers found inventive new ways to make millions through cyberassaults on personal computers connected to the Internet.

The reasons are important to understand, because they may well be falling away one by one.

There are far more people around the world using PCs than smart phones, and the vast majority of the computers run Microsoft's Windows operating system. That means hackers can exploit a single vulnerability to potentially reach a vast number of computers.

In contrast, the mobile market has been smaller, fragmented across a variety of operating systems and rarely used for financial transactions.

Nightmare scenario

But several research firms predict that smart-phone sales will soon outpace PC sales, if they haven't already, as millions of people splurge on the feature-rich gadgets. Meanwhile, the market has coalesced around three dominant operating systems: Research In Motion's BlackBerry, Apple's iOS and Google's Android.

Finally, myriad financial companies are rolling out apps that facilitate banking and stock trading over the devices. Others are developing stickers or chips that allow the devices to be used for payments at cash registers.

"The threat is there," said Phillip Porras, a program director focused on cyberthreats at SRI International. "Mobile malware developers tend to go where the money is and where the users are."

Mobile devices provide an added attraction for hackers: The gadgets know far more about users than the typical PC, including where they are, where they go, whom they communicate with, whom they bank with and more.

When hackers gain control of the devices, there's potentially a much richer pool of data that can be exploited to steal money, blackmail victims or gain personal, corporate or government information.

"They can get onto the phone with cell access and ... really do whatever they want," said Nicholas Percoco, head of Trustwave's SpiderLabs division, the company's advanced security team that, among other things, tries to pinpoint and expose software vulnerabilities.

There are broader-reaching threats as well.

A research paper released late last year found that as few as 11,750 compromised mobile phones could launch an effective denial-of-service attack on a mobile network, where thousands of simultaneous calls from hijacked devices would overwhelm the service. It could basically knock out connections across an entire area code, degrading the service by 93 percent in all of the 415 or 650 areas, according to the joint study by the Georgia Institute of Technology and Pennsylvania State University.

In a nightmare scenario, terrorists could synchronize such a cyberattack or one like DoCoMo 911 with bombings of buildings or bridges, compromising disaster response efforts, said David Perry, global director of education at Trend Micro Inc.

Playing defense

So what can be done?

Security firms like Trend Micro and McAfee Inc. already sell products to detect and remove malware on mobile devices, much like the antivirus software long sold for PCs.

Google and Apple say they work hard to prevent exploits and fast when vulnerabilities are discovered.

"Apple takes security very seriously," spokeswoman Trudy Muller said. "We have a very thorough approval process and review every app."

Google, which declined an interview request for this article, doesn't approve apps before allowing them in the Android Market because it says it wants to provide an open environment for developers and users. But it does go to extra lengths to ensure that users are made aware of the information and functions that each app can utilize, which can provide warning signs for users.

Unlike Apple, Google can also remotely kill applications that are found to be malicious on devices running its operating system.

Because of its focus on business customers, Research In Motion has long emphasized and invested in the security of its devices, employing robust encryption technology and the ability to remotely wipe data from a lost or stolen device. It also provides business administrators the ability to determine which apps and features can be used on work-issued phones, depending on the company's level of risk tolerance.

The basic architecture of the company's devices and software also blocks many of the traditional paths for spreading malicious viruses, said Scott Totzke, vice president of BlackBerry security.

'Gearing up'

But if the history of the PC provides hints about how attacks may evolve on the mobile front, it also underscores the lesson that inventive hackers, motivated by big paydays, will continue to find ways to get around security defenses.

Totzke acknowledged, for instance, that all mobile users are potentially susceptible to social-engineering methods. Those include Trojan horses like Zeus, which mask themselves as legitimate applications or information requests but actually seek unauthorized data or control.

Smart phones contain "tons of information about you and your company, so how do we make sure we educate our customers to understand that when they download an app, it should come from a trusted source?" he said. "That's the challenge. I don't think I really have a great answer for that, and I don't think the industry does."

SRI's Porras agreed that inattentive or underinformed users provide a big, bright target for hackers.

"Malware developers are gearing up for this," he said. "If the general public is gearing up for this is an open question."