Devastating cellphone hacks that hijack your most personal gadget and rob you of privacy and money have long been forecast. But even as smartphone users in Asia are beginning to suffer exploding bills and emptied bank accounts at the hands of hackers, U.S. users largely remain safe and blissfully unaware of the gathering threat.

Not for long. 

Criminals have been probing the systems that protect U.S. smartphone users for years, searching for the right combination of programming tricks and social engineering that would allow them to sneak onto users' phones. Recently, one hacker group hit the jackpot.

They took a year-old mobile virus named NotCompatible, which allows hackers to take complete control of a phone, and posted the malicious code on websites. Then they sent out enticing spam emails with links to the booby-trapped sites. The emails were all the more tempting because they appeared to come from friends or others on the recipients’ contact list.  Victims who clicked on the link from their phones and downloaded the file surrendered control of their Android phones to the criminals. Security firm Lookout says 10,000 customers per day are still being tricked to click on the bogus link and landing on the booby-trapped pages, and virtually all of them are in the U.S.

Tim Strazzere, Lookout’s lead research and response engineer, said the sudden "staggering increase" in detection of the of the NotCompatible, which initially appeared one year ago, shows that the marriage of spam and mobile malware might be a recipe for real trouble.

"This Android malware is unique," he said. "It's exactly the same scheme and end game as before, but it's just being circulated through different means. And it's working."

U.S. smartphone users have been spared much grief from mobile malware so far for a variety of reasons. Chief among them: Most users get their apps from a centralized and safe source. Apple keeps tight controls on its App Store, so malware writers are largely ignoring that platform. And while Google's Play Store for Android is not as tightly controlled, criminals haven't had much luck sneaking infected software onto that platform, either.  That leaves hackers with time-consuming, clumsy methods, such as tricking users to visit a rogue website and electing to install an app.

Android attackers in other parts of the world have an easier time. In China, for example, it's hard to access Google's Play store, so consumers often get their apps from websites. That means rogue apps on random websites raise less suspicion.

But Strazzere warns that the criminals behind NotCompatible have found a way to make U.S. users almost as vulnerable as those in Asia – a direct email invitation from a friend to install what turns out to be a bogus app.

Those who might dismiss this scenario should beware: Last month, when a report by Mandiant Corp. alleged that hundreds of U.S. companies had been hacked by an arm of the Chinese military, the initial method of attack was almost the same -- a "spear-phishing" email that appears to come from a co-worker or friend, sent to entice the recipient into clicking on a virus-laden link.

Smartphone users might fear that a criminal with access to their devices might destroy all their data, "brick" the phone or prank call all their contacts. But the real nightmare from a hacked phone is much more subtle, and can be much more expensive, than having to replace a phone.

Vikram Thakur, a researcher at Symantec Corp., studied one mobile phone hacker who turned compromised devices into an estimated $1 million annually.

“We found a mobile phone botnet, which had … maybe 200,000 cellphones which were compromised and in control of just this one person," he said. "(He) was able to send text messages, make these phones view videos, which were in turn giving him money; and he was doing so about 25,000 times a day."

Cellphone hackers don't do anything to call attention to themselves. Instead, their programs are designed to run in complete silence, in the background.  And they cover their tracks. There's no log of calls placed to dicey overseas numbers, no evidence of text messages sent that can run up a monthly bill.

“Your phone bill might have extra data usage toward the end of the month,” Strazzere said.  "That might be the only way you'd know."

Hackers around the world have clearly trained their attention on the fertile ground of phone hacking. Kaspersky Labs, another security firm, says there has been "explosive growth," and offers numbers to back that up. In January 2011, it counted only eight new malicious mobile malware programs. At the end of 2012, it counted 6,300 such programs monthly.

Nearly all of that activity has until now targeted overseas users, sometimes with devastating results. A program aptly named "BillShocker" by researchers infected 620,000 users earlier this year, mostly in China, and ran up hefty bills through premium text message services.

Mobile malware writers are also developing hybrid threats designed to counterattack online banking security systems.  In one sophisticated attack, criminals hacked both a victim's computer and cellphone, then lurked until an online banking transaction was initiated on the PC. When the bank sent a so-called "out of band" text message as a security confirmation, the criminals intercepted them and approved the transactions. A malicious program named Eurograbber is blamed for stealing $47 million from 30,000 bank accounts this way, according to a report by security firm F-Secure.

Those victims were in Europe, but now there are other indications that mobile hackers are circling the waters, aggressively looking for more ways into the U.S. market.  

Computer security expert Brian Krebs reported earlier this month on his blog that criminals are selling authorized Google Play developer accounts on underground bulletin boards.  A developer account would theoretically give a criminal the ability to post rogue software onto the Google Play store.

NotCompatible is a little less ambitious. Its main goal is to control a smartphone and turn it into a "proxy" device for overseas criminals, so they could pretend they were ordering expensive merchandise from within the U.S.  Because many online sellers use geographic location to filter out fraud, and many trust cellphone location information, a hacked phone can be a perfect tool for foiling fraud-fighting software.

"Companies block transactions when someone in Romania is trying to buy concert tickets in the U.S., for example," said Strazzere.  "NotCompatible allows them to hide where they are coming from ... gives them a little more mobility based on where they want to come from. With a hacked cell phone, they will look like they are where the endpoint is."

Strazzere sees the blended threat – part virus, part spam – as ushering a new style of cellphone attacks, just as such blended threats gave hackers the upper hand in the personal computer world during the last decade.

“This shows the progression of malware authors and what they are doing to experiment,” he said.  It also shows impressive coordination in attacks. “It’s still a new space for them. But they are figuring things out.”

Follow Bob Sullivan on Facebook or Twitter

More from Red Tape Chronicles:

• Celebrity hackers stole data from AnnualCreditReport.com, Equifax says
• Google pays $7 million to settle 'Wi-Spy' case filed by states
• Why consumer agency must go, and why it should be saved

Twitter.com

Twitter.com

UPDATED, Aug. 6, 12:18 p.m. ET --  

The Reuters news service suffered a second successful hacker attack this weekend, just 48 hours after a computer intruder was able to post fake news stories on its web site.  In Sunday's attack, a small Reuters Twitter feed -- @ReutersTech , with 17,000 followers -- was briefly controlled by hackers.

"Earlier today @ReutersTech was hacked and changed to @ReutersME," Reuters announced on its Twitter feed Sunday. "The account has been suspended and is currently under investigation."

An archive of posts made to the @ReutersMe account, viewable Monday on Topsy.com, show 22 rapid-fire Tweets were published on Sunday; some clearly contained pro-Syrian government messages, such as: "FSA commander Riyad Al Asaad states a tactical withdrawal from Aleppo imminent."

Others didn't discuss the Syrian conflict, such as this: "Obama signs executive order banning any further investigation of 9/11. "

The Twitter hack comes after Reuters said Friday that its blog platform was hacked and that a fake news story regarding the conflict in Syria had been posted.

A spokesperson for Reuters confirmed the attack to NBC News.

"A false blog posting, purporting to carry an interview with the head of the Free Syrian Army Riad al-Asaad ... was illegally posted on a Reuters journalist's blog page," said a post on the Reuters Twitter feed, which is followed by nearly 2 million people. "Reuters did not carry out such an interview and the posting has been deleted."

It wasn't clear if any Reuters subscribers picked up the story and ran it in their publications; Reuters refused to answer additional questions about the incident. But the fake post was on the site for roughly 6 hours, according to the time stamp on a Reuters web page where one of the posts was initially published.  

Initial word of the hack came via the Reuters Twitter feed just after 1 p.m. ET on Friday.

“Reuters.com was a target of a hack on Friday. Our blogging platform was compromised," the Twitter feed said. "…And fabricated blog posts were falsely attributed to several Reuters journalists. We are working to address the problem."

News services have long been an attractive target for hackers looking to get attention, dating back the early days of the Internet, when a denial of service attack made many major news sites unavailable for several days; other attacks have rendered sites unavailable for brief periods as a form protest. But attention-getting hacks have always been little more than pranks. The real danger of a news site attack comes from a quiet hack that potentially  spreads falsehoods under what appears to be the banner of an unbiased news service.

It's been a busy 24 hours for hackers targeting major media with fake news: Computer intruders managed to post a false story on the New York Yankees Facebook page Thursday and on several other teams' pages.

* Follow Bob Sullivan on Facebook.
* Follow Bob Sullivan on Twitter.