An annual study of internet security vulnerabilities released today concluded that “2011 was the first year that mobile malware presented a tangible threat to businesses and consumers.”

The findings, released by Symantec Corp., showed that mobile vulnerabilities nearly doubled, increading by 93% in 2011, with a particular rise in threats targeting the Android operating system.

The annual report, Internet Security Threat Report, Volume 17, found “malware authors not only reinventing existing malware for mobile devices, but creating mobile-specific malware geared to the unique mobile opportunities. The threats are geared to take advantage of activities involving data collection, the sending of content, and user tracking.

The rise in mobile threats comes at a time when tablets and smartphones are not only eclipsing the sale of PCs, but are increasingly invading the corporate environment faster than many organizations are able to secure and manage them.

The mobile findings are part of a broader backdrop that showed the volume of malicious attacks via the Internet also nearly doubled in 2011–increasing by 81% over the prior year–even as the number of vulnerabilities registered a 20% decline.

The figures come from data collected by Symantec, which reported blocking more than 5.5 billion malicious attacks in 2011, up 81% increase from 2010, while the number of Web attacks blocked per day increased by 36% percent.

In addition, the number of unique malware variants Symantec tracked increased to 403 million.

The study also noted that approximately 1.1 million identities were stolen per data breach on average in 2011, a dramatic increase over the amount seen in any other year.

While hacking posed the greatest threat last year, the most frequent cause of data breaches was still the theft or loss of a computer or other medium on which data is stored or transmitted, such as a smartphone, USB key or a backup device. These theft-or loss-related breaches exposed 18.5 million identities, according to the report.

The rise of mobile devices–many containing personal or sensitive information that often is less protected than data on PCs–may lead to an increase in data breaches. Recent research by Symantec shows that 50% of lost phones will not be returned and 9%(including those returned) will experience a data breach.

The study also pointed to the shifting nature of threats.

Symantec data revealed that spam levels fell considerably and new vulnerabilities discovered decreased by 20 percent.

These statistics “paint an interesting picture,” the report concluded, saying “attackers have embraced easy to use attack toolkits” to efficiently leverage existing vulnerabilities.

But cyber criminals are also “moving beyond spam… turning to social networks to launch their attacks,” Symantec officials said in a release.

“The very nature of these networks makes users incorrectly assume they are not at risk and attackers are using these sites to target new victims. Due to social engineering techniques and the viral nature of social networks, it’s much easier for threats to spread from one person to the next.”

The report also found that advanced targeted attacks are spreading to organizations of all sizes and variety of personnel; that the number of data breaches are increasing; and that attackers are putting new focus on exploiting mobile vulnerabilities.

“In 2011 cybercriminals greatly expanded their reach, with nearly 20% of targeted attacks now directed at companies with fewer than 250 employees,” said Stephen Trilling, Chief Technology Officer, Symantec.

“We’ve also seen a large increase in attacks on mobile devices, making these devices a viable platform for attackers to leverage in targeting sensitive data. Organizations of all sizes need to be vigilant about protecting their information.”
Targeted attacks, which use social engineering and customized malware to gain unauthorized access to sensitive information, rose from 77 per day to 82 per day by the end of 2011, the report said.

These advanced attacks have traditionally focused on public sector and government, Symantec officials aid. However, in 2011, those attacks began to diversify, with more than 50% percent of such attacks aimed at organizations with fewer than 2,500 employees, and almost 18% percent target companies with fewer than 250 employees.