Is your cell phone due for an antivirus shot?
Security software industry focuses on mobile phones but runs into resistance from service providers.
Programs that fight viruses have become a necessary evil on Windows PCs. Now the antivirus industry is turning its attention to mobile phones--but it's running into reluctance from cell service providers, who aren't so sure that the handset is the best place to handle security.
Verizon Wireless, one of the top U.S. mobile networks, doesn't see a need for its customers to install antivirus software on cell phones. "At this point, that is absolutely not required by individual customers," spokesman Jeffrey Nelson said.
But makers of security software are eager to get their products onto handsets, a huge potential market. About 812 million mobile terminals--such as cell phones and smart phones--were sold in 2005, according to market researcher Gartner. That compares with an estimated 219 million PCs in the same period. The market research firm expects annual mobile device shipments to exceed 1 billion units for the first time in 2008.
While the number of threats to cell phones is low, security experts and analysts agree that situation is likely to change. Gartner suggests a widespread attack could surface by the end of next year. In this period of quiet before the storm, antivirus makers and mobile providers disagree on the needed defenses. Without a solution, cell phone users could lose out.
More than 150 viruses that target cell phones have been discovered since June 2004, and tens of thousands of infections have been reported worldwide, Mikko Hypponen, chief research officer at security company F-Secure told session attendees at last week's RSA Conference.
That count, while it may seem high, is eclipsed by the number of PC viruses, which stands at more than 150,000, according to F-Secure research. So far, most cellular viruses have been created only to show that they are possible. They haven't actually been released into the wild. "Today, you are still much more likely to get hit by Windows malware then by any mobile phone threat," Hypponen said.
Even so, some antivirus makers are raising a red flag about mobile phone risks, saying that the number of attacks will likely change over the year or two, as more people get phones with advanced features that could be exploited by malicious software. "I think we're really at the tipping-off point," said David Rayhawk, a mobile threat researcher at McAfee.
In the hunt
Symantec, McAfee and F-Secure are the front runners in selling security software for handsets. Recently, Helsinki-based F-Secure announced an expanded relationship with Nokia to sell antivirus software to the handset maker's customers. Symantec has a similar agreement with the Finnish company, the world's largest manufacturer of cell phones. McAfee's software is installed on some phones in Japan.
In general, antivirus software makers foresee that their products will be on all handsets soon. "We estimate that in the future, every single phone will be running an antivirus system," Hypponen said.
That vision isn't shared by some U.S. cellular companies, which often sell phones alongside their service subscriptions. Verizon Wireless has made its resistance clear, and T-Mobile USA said that it is still investigating options. "We're in the process of understanding the marketplace to determine how our customers' needs are best served," a representative for the carrier said. "We are also evaluating potential threats to the handsets sold by T-Mobile and steps needed to mitigate potential risks."
Cell phone operators have typically focused on their network, rather than phones, as the place to try to thwart mobile virus threats. In moves invisible to users, they scan messages moving from one device to another to filter out malicious programs. Verizon Wireless, which has 51.3 million customers, and T-Mobile USA, which claims 20 million customers, both have scanners in place, representatives said.
"We filter for specific types of malicious code attached to MMS messages," the T-Mobile representative said, referring to multimedia messaging technology. MMS messages are photos, music and similar files sent between phones. "To date, there have been very few types of malicious code that affect cell phones. Nearly all have been associated with MMS messages, and we have been able to block them with our current MMS processing technology."
Commwarrior, which antivirus companies say is one of the most common mobile pests, spreads using MMS messages, sent over a cellular network or via Bluetooth short-range wireless.
Fortinet, which sells scanning tools to mobile phone operators, said that up to 10 percent of all the MMS traffic scanned is infected with a virus. Fortinet has seen a more than 500 percent increase in mobile phone pests, from fewer than 20 unique threats in 2004 to more than 100 in 2005.
Gartner analysts have backed the scanning approach, saying that installing antivirus software on cell phones would be a mistake. On the PC, antivirus tools became largely ineffective and were reduced to removal tools when e-mail surpassed floppies as the dominant transmission mechanism for viruses, they wrote in a research note last June.
"The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort," analysts John Pescatore and John Girard wrote.
Pesky programs
Cell phone pests can crash handsets, attempt to install other malicious software or try to wirelessly transmit personal data to other gadgets. Most of the attacks rely on the device's owner clicking to execute a file received via Bluetooth or MMS. They also require the user to acknowledge and ignore a warning from the system that the file may be from an untrusted source and cause problems.
Risk assessment
Answers to key questions about cell phone viruses.
What's out there?
There are currently more than 150 viruses targeting cell phones, according to F-Secure research. Here are those that have made the most splash:
Cabir, first worm to target mobile phones uses Bluetooth to infect phones that run the Symbian operating system.
Skulls Trojan horse kills off system applications and replaces their icons with images of skulls.
Commwarrior spreads via Bluetooth and Multimedia Messaging (MMS) technology. The MMS messages can drive up a user's phone bill.
Am I at risk?
Probably not. There are few cell phone viruses in the wild. Most pests target advanced phones that run the Symbian operating system. These handsets are popular in Europe and South East Asia, but less so in the U.S.
What if I do have a vulnerable phone?
A phone cannot be infected via Bluetooth if that feature is disabled. Alternatively, you can switch off the feature that lets your phone be detected by other Bluetooth handsets. That should prevent infected devices from sending you malicious software.
In addition, mobile network operators have started scanning MMS traffic for malicious files.
Source: F-Secure, CNET News.com
The risk of infection is higher in crowded locations, such as big cities, in public transit or at a sports event, experts said. Whether a phone is vulnerable depends on the type of device and its configuration. High-end phones running the Symbian operating system with Bluetooth enabled are most likely to be attacked.
Handset owners have fallen victim to viruses like Commwarrior because it is persistent and the user interface on many phones is faulty, Hypponen said. When Commwarrior is attempting to spread via Bluetooth, messages will keep popping up asking the user to accept the malicious file. As long as an infected phone is nearby, declining the file will result in a new request popping up.
"The phone is asking you 'yes' or 'no,' and clicking 'no' doesn't work," Hypponen said. "Until you answer 'yes' or 'no,' the phone won't work. People are getting frustrated, they don't know what else to do, so they click 'yes' and then they get infected."
What people should do in such a case is walk away, Hypponen said. Bluetooth has a limited range of about 33 feet, and moving away from the device that is transmitting Commwarrior will stop the incessant pop ups.
Phones will change to address this problem, Hypponen said. Symbian, maker of the namesake mobile phone operating system, and handset makers are altering their software, he said. Other changes that have been proposed to secure phones include new, hardware-based security standards for the devices.
Symbian has been the biggest target of miscreants who write malicious software. Symbian is the most popular operating system for smart phones, including those sold by market leader Nokia. Two-thirds of all smart phones shipped in the third quarter of last year ran the Symbian OS, according to recent Gartner research.
Smart phones are digital do-it-alls. In addition to voice calls, the devices can be used for keeping a calendar, surfing the Internet, downloading software, and sending text messages and e-mail. In the future, they could replace wallets, say industry pundits, with consumers whipping out a specially equipped phone instead of a credit card to pay for a purchase. Microsoft has said the mobile phone could become the PC of the developing world.
Threats to mobile devices are expected to rise as more smart phones are sold. In the third quarter of 2005, worldwide shipments of smart phones totaled 12.6 million units, up 210 percent year over year, according to Gartner. As a proportion of all mobile shipments, smart phone shipments increased to 6.1 percent from 2.4 percent, Gartner said.
For a widespread worm or virus attack, several conditions must be met, Gartner analysts Girard and Pescatore. Smart phones have to be widely adopted, wireless messaging needs to be ubiquitous and one operating system should be dominant, the analysts said. For antivirus makers and cellular network operators grappling over what approach to take to protect customers, time might be running out.
"Gartner believes these factors will converge by the end of 2007," Girard and Pescatore wrote.