For years now, people have talked about viruses that would attack mobile devices like PDAs or mobile phones instead of traditional PCs. Despite the predictions, no major outbreak comparable to Sasser or MyDoom has occurred. Nonetheless, with the continued spread of intelligent smart phones with voice and PDA functions, malicious programmers are beginning to take a look at these miniature attendants. But mobile viruses are still miles away from being the potential threats faced by their bigger PC cousins. Viruses for mobile devices are not yet widely distributed and have not caused a significant amount of damage. The main reason? Until recently, it was hardly possible to become infected with a mobile virus.
Viruses, Trojan horses, and other malicious intruders needed a means of transportation into a file to infect it. For PCs, the way was generally the Internet or an external data medium. But the first generations of mobile devices did not have any access to a worldwide network. And hardly anyone exchanged, obtained, and installed programs from questionable sources. The devices had only limited opportunities to exchange data. Limited market penetration and various competing proprietary operating systems also helped limit the commitment of authors of viruses.
This situation has changed. The possibilities of modern mobile phones are making portable devices a worthy target of attack. Large quantities of data can now be easily exchanged with Bluetooth. Short message system (SMS) and, especially, multimedia message system (MMS) permit the transfer of code without distance limitations. An Internet connection has just about become standard. And according to a current study by Forrester Research, the market penetration of mobile phones in Europe lies at about 80%; the portion of Internet-ready devices in many age groups already lies at over 60%. On top of all that, the market now has a clear leader – the Symbian operating system used by Nokia and other manufacturers. According to Gartner, some 80% of all smart phones come from the Finnish company. Taken together, all of these factors produce the ideal conditions for damaging programs.
First Pests in the Wild
Since last fall, the threat has become more serious. Two viruses for Nokia smart phones of series 60 are active and can cause significant damage. The first is a Trojan horse named Skulls, which spreads by being downloaded from the Internet. Skulls masquerades itself to unsuspicious owners of mobile phones as an additional theme manager for Nokia devices of series 60. But if a user installs the program, Skulls replaces all icons with skulls so that neither the menus nor the telephone book are usable. The telephone must be sent out for repair, which erases all the data stored on it.
The second is a virus named CommWarrior, which has been spreading since March 2005 on Bluetooth and MMS-compatible systems. If a mobile phone that is running Symbian and has an open Bluetooth connection winds up in a restaurant near an infected telephone, the virus is transferred automatically. The worm convinces users that it’s secure by pretending to be an official update from Nokia or a virus protection program from Symantec, and the recipient then installs the virus manually. Its potential for damage? In the first hour of the fourteenth day of a month, CommWarrior triggers a reset of the device – which erases all the data stored on it.
But still, there’s no reason to panic. Neither Skulls nor CommWarrior has spread very far yet. Youthful mischief is usually the driving force behind the authors of viruses, as seen in the example of the Netsky developer, who recently appeared before a German court. The situation becomes serious only when criminals find a way to use technology for nefarious ends.
Protection Is Available
Even though the risk is still slight, the manufacturers of virus protection solutions sniff an opportunity for business; almost all of them today offer anti-virus software for widely used mobile models. And wireless service providers also see an opportunity here for additional business and to differentiate themselves from the competition. T-Mobile, Telia Sonera, Orange Schweiz, and others offer virus protection solutions for end customers.
Yet it remains questionable if buying virus protection for mobile phones is really necessary. Yes, viruses are present in the wild. According to the Trend Micro, a security company, six new Symbian viruses were seen in the second quarter of 2005. But the actual threat is rather limited. As before, no author of malware has been able to activate a pest on a mobile phone without action by its owner. A user must confirm the installation. Current viruses for mobile phones can be neutralized with some caution and user training.
As a basic rule, no one should open an MMS message whose source is questionable. Program files that users did not explicitly request and that are not signed by a trustworthy supplier should be deleted without having been viewed. It’s also very important that the Bluetooth function on a device is configured properly. The mobile phone must always remain invisible to unknown Bluetooth devices. The required setting takes only a few seconds to make. The setting allows contact only with explicitly authorized devices. Users who do not generally need Bluetooth should simply deactivate the function and switch it back on only when needed. Doing so not only increases the level of security, but also the lifetime of the rechargeable batteries.
Earliest Danger in 2007
Gartner does not see an acute danger from mobile viruses. Gartner analysts warn about creating a panic and count mobile viruses among the five “most over-hyped IT security threats.” Gartner also questions putting virus protection on an end device because the protection is inefficient. “Increasingly, virus scanners can help on a PC only when cleaning up after a virus outbreak,” says Jay Heiser, a Gartner analyst. That’s why companies should demand security functions from their providers. “Unlike the Internet, wireless telephony always has a unique supplier that can check and, if needed, filter the data flow,” says Heiser. And as the Gartner study indicates, the providers must prepare for protection from mobile viruses demanded of them by the end of 2006. The market researchers expect worms that spread with the same speed as they do on PCs at the end of 2007 at the earliest.
Although Heiser tends to see all viruses active on smart phones as experimental, he can also imagine some “business models” for criminals. “For example, blackmail by denial-of-service attacks against individual devices or wireless service providers to block their networks are conceivable,” he says. And Heiser can also imagine the misuse of foreign devices to transmit mass messages anonymously – according to the model of robot networks on the Internet. “The devices are becoming more and more similar to PCs. As a result, the threats are also similar to those for PCs,” he says. But that alone does not yet lead analysts to see a serious danger because smart phones have too little computing power and a limited range of functions.
Little Interest from Customers
Users apparently see things the same way – and hold back from purchasing virus protection solutions. As Hans-Joachim Diedrich, country manager for Germany, Austria, and Switzerland at F-Secure admits, “The revenues with mobile virus security are so small that you can’t recognize them in the total turnover.” But for the suppliers of virus protection, the growing technological possibilities of the devices make it only a matter of time until mobile viruses become a serious threat. “We can’t yet see when and what it is, but a major event will come,” says Mikko Hyppönen, chief research officer (CRO) at F-Secure. He’s sure of it. “The situation might change quickly, so we want to have a proven tool on the market before the first big outbreak,” he adds.
And Hyppönen also admits that so far most mobile viruses have not had a great potential to do harm. But, he asks, “what happens when someone finds a way around user interaction when executing code on an end device?” One key problem with mobile phones has so far been an inability to bring the operating system up to date and thus close any security loopholes without a great deal of effort.
Uninteresting for Criminals
Christoph Hardy, a consultant at Sophos, a supplier of virus protection, has a similar view. “Mobile viruses are a tempest in a teapot,” he says. In the coming years, Hardy does not see a serious danger for smart phones. First, the community of virus authors has changed. Criminals have taken the place of youthful programmers – criminals who want to earn money from their efforts. According to Hardy, smart phones offer too few options to make money. Second, you don’t even need to write a virus for devices with an unprotected Bluetooth interface. “Why go to all the trouble when you can read the data directly by bluejacking?” he asks. With bluejacking, an unauthorized person reads data from an external device over a Bluetooth connection.
According to Hardy, industrial espionage and other criminal activity will remain a niche for a few more years. Even applications like online banking will not change the situation with smart phones because “only a small portion of users employ such applications,” according to Hardy.
Dealing with the Topic Now
Although no one can count on an extensive outbreak of viruses on smart phones, companies should start to deal with the topic now. Many questions still remain open. Companies need to determine who is responsible for virus protection. The IT department, the wireless provider, or the device manufacturer? Companies must be prepared. Companies that develop security for their mobile devices in good time will not have to deal with time pressures and can evaluate all their options in depth.
Heiser recommends two measures to companies. “Even today, requests for proposals should include security and demand it from potential suppliers,” he says. He also recommends the introduction of guidelines for procuring and using smart phones and, for better administration, standardization to one type of device.