Attackers are adapting the popular and effective drive-by download method, popularized on PCs, for mobile devices, says Kevin Johnson, founder of information security consultancy and author of Security 542: Web Application Penetration Testing and Ethical Hacking.

Drive-by downloads work by exploiting vulnerabilities in Web browsers, plug-ins or other components that work within browsers. Through a browser vulnerability, drive-by downloads dump an application onto the user's computer, such as fake anti-virus software--malware that's masked as anti-virus software.

On a smartphone, drive-by downloads work differently, says Johnson, who is also a senior instructor with the . "With an iPhone, I can't browse to a Website and have it install an app on my iPhone. The iPhone is not capable of doing that, which is good," he says. "The problem is that the drive-by download model has changed to take that into account."

So instead of dumping an app onto your smartphone's OS, the infected Website exploits a vulnerability in, say, the Safari browser and runs commands or packages within the phone's operating system to change the way it works, says Johnson.

"It's not installing the software, but it's still doing bad stuff to the phone," he adds. "It's considered jail-breaking or rooting the device."