Lookout's Mobile Security Battle with Google

Image: Eric Milllette for Forbes

CEO John Hering poses before the ‘sniper rifle’ he and his buddies built to hack phones via Bluetooth from hundreds of yards away. Billionaire backer Vinod Khosla says Lookout’s co-founders “smell like entrepreneurs with a very long vision”

Symantec has no taste,” says 29-year-old entrepreneur John Hering, borrowing an insult Steve Jobs lobbed famously at Microsoft. The shoe fit then, and Hering thinks it fits another foot now. “When you look at their user experience, design, marketing, everything. Their products are oriented around fear.”

Fear, or deliverance from it, has been a huge selling point for antivirus software. But as the computing world shifts from PCs to mobile devices, Lookout has been able to trounce multibillion-dollar security giants like McAfee and Symantec without scaring people. Instead, the startup has wooed users with a slick interface and free features like data backups and find-my-phone tools. It was born in a different era, when free mobile apps proliferate through word of mouth, not crapware PC installations by computer makers and ads for shrink-wrapped software. “We actually built a security product that people want to use,” says Hering.

Hering and his two co-founders have amassed more than 30 million mobile users—close to 20 million more than either competitor—with more than a million added every month. Thanks to what it says is a high single-digit percentage of users that upgrade to its paid version, it has raised $76.5 million in rounds led by Khosla Ventures, Andreessen Horowitz, Index Ventures and Accel Partners, drawing murmurs of a billion-dollar valuation. (Hering describes it only as “concretely within the ballpark.”)

With carriers such as T-Mobile, Orange and Deutsche Telekom preloading Lookout on some or all their Android phones, and Sprint to come later in 2013, Lookout seems poised to own the consumer smartphone security industry. It just has to prove that such an industry exists—before its business is swallowed or squashed by Google, the company that made its success possible in the first place.

Mobile security has evolved in the last few years from a solution in search of a problem to a near necessity for the 54 percent of smartphone users with Android devices. While Apple’s iOS has remained virtually malware-free, German antivirus auditors AV-Test count tens of thousands of new Android malware variants a year, up from fewer than 100 in 2009.

Lookout, with constantly refreshed data from the tens of millions of its Android users who opt to upload new threat info, has been the first to spot many malware outbreaks. In 2011 it revealed a collection of 50 scam apps, known as Droid Dream, in the Android Market, now renamed Google Play. The same year it was the first to discover the text-sending malware GGTracker, which had infected 1 million phones. And when Symantec declared it had spotted a collection of as many as 5 million phones infected with a malware called Counterclank, it was Lookout that deflated Symantec’s claim by showing that the apps were just an aggressive ad network. Lookout’s detection rates, according to AV-Test, rank among the highest of any mobile antivirus software, tied with McAfee and ahead of Symantec as of March 2012.

Hering and his co-founders, Kevin Mahafey and James Burgess, saw the potential in mobile protection long before Google entered the smartphone market. In early 2005, the three University of Southern California students spotted a vulnerability in Nokia phones that let unauthorised devices access them via Bluetooth. Nokia ignored their warnings until they put a laptop with a Bluetooth antenna in a bag and walked around the Academy Awards red carpet, collecting evidence of the bug from celebrities’ hackable phones.

The trio launched Lookout in 2007 and hooked users early with practical features like automatic data backups and find-my-phone capability. The latest version can send up a GPS ‘signal flare’ just before a phone’s battery runs out or use a phone’s front-facing camera to automatically snap a picture of a thief who guesses the phone’s login code, e-mailing the mug shot to the phone’s owner.

Now Lookout wants to lock in its success with an ongoing ‘app genome project’, the scanning of every Android app in the world, whether on a phone, in app stores or on the web. Lookout runs the programs in quarantined sandboxes, comparing snippets of code and network connections among 5 million apps and pulling evil needles out of Android’s haystack of programs. “We thought we’d look at this as a data mining problem and use lots of correlations that are very hard for bad guys to evade,” says Mahafey, Lookout’s chief technology officer.

Google isn’t about to cede the security of its operating system to third parties. In February of last year it launched Bouncer, a malware scanner to screen new apps submitted to Google Play. A version of Android released in November includes a verification service that checks every program downloaded to the phone, from both Google Play and the web. Google can zap rogue apps remotely if it so chooses. Hiroshi Lockheimer, vice president of engineering for Android, doesn’t believe users need antivirus on their Android phones.

“Redundancy might not be a bad thing for security,” Lockheimer says politely, “but I personally don’t use added security products, and don’t recommend that my parents or wife do, either.” Gartner analyst John Pescatore doesn’t see a mobile antivirus software market ever reaching the size it did on PCs. “If you look at the things Lookout is trying to do,” he says, “Google is doing them.”

Except it’s not doing them very well right now. Several researchers have demonstrated simple tricks to sneak malware past Google’s Bouncer. And, in a recent North Carolina State University study, Google’s app verification caught a measly 15 percent of bad apps, under-performing every other scanner tested.

Lookout has options. Hering hints that his startup could become the security layer for the long-discussed Internet of Things, a world where everything from thermostats to cars are networked. Many of the devices, such as Amazon’s tablets or phones built by Chinese search firm Baidu, run Android in flavours that are out of Google’s control; Lookout now offers an app for the Kindle Fire. Investor Vinod Khosla floats ideas like phone insurance or even building a more secure version of Android. “What everyone knows about Lookout today is 5 percent of what we will be,” Hering says.