X

The phantom menace?

CNETAsia's Winston Chai wonders whether it's too early to hit the panic button on mobile viruses.

4 min read
All-day, free incoming calls. Six hundred minutes of free outgoing talk time. Three hundred free cell phone text messages per month.

In addition, free antivirus software with one year's subscription to live updates.

That extra security protection could well be offered in mobile subscription plans soon, going by the Internet Security Threat Report released recently by Symantec.

According to the security giant--which found a 64 percent increase in new viruses and worms between June and December 2004 and a sharp rise in the number of phishing attempts--there is a possibility that the ongoing struggle with PC security could soon manifest itself in the cellular realm.

Symantec's research showed that 21 malicious programs targeting mobile devices have been reported since the emergence of the Cabir cell phone virus last June. While most of these have been nothing more than proof-of-concept code affecting very few users, the company--like most of its rivals--believes that such viruses and worms will become a real danger, helped largely by the deployment of high-speed, third-generation wireless networks, also known as 3G networks.

Have mobile threats been overinflated by security vendors?

An early warning could lie in the CommWarrior threat, a Trojan horse targeting Nokia's Series 60 handsets that surfaced earlier this month. Unlike predecessors such as Cabir, the Trojan uses both Bluetooth wireless connections and Multimedia Messaging Service, or MMS, to hasten its spread.

In anticipation of such onslaughts, companies such as Symantec are tailoring their offerings to mobile operating systems like Symbian and Windows Mobile. McAfee has released an antivirus package for NTT DoCoMo handsets, while Russia's Kaspersky Labs is testing a version for Symbian phones.

With such intense efforts under way, should cellular subscribers hit the panic button anytime soon, or have mobile threats been overinflated as part of these vendors' quest for market diversification?

Cell phone viruses could someday walk the talk and become a real danger, but I believe it will be some time before this becomes a reality. Current doomsday prophecies stem largely from the belief that with 3G networks, Web-enabled mobile devices will be exposed to the same vulnerabilities and threats that now plague the Internet.

Looking back
However, history suggests that viruses aimed at mobile devices are not a recent discovery. Case in point: In 2000, a Trojan--the Liberty Palm Pilot Trojan--capable of deleting applications on Palm handhelds surfaced. In the same year, a Norwegian company reportedly discovered a flaw that would allow text messages coded in a specific way to freeze certain Nokia phones. Besides being lab specimens, both were never exploited.

It's been five years, and contrary to initial speculation, even with Wi-Fi and Bluetooth becoming almost standard connectivity options in most PDAs (personal digital assistants), the threat of a full-blown handheld virus has yet to materialize. Arguably, the prospect of having "always-on" 3G phones with a potentially large user pool could expedite matters, but this brings me to my second point--that of user uptake.

As Symantec's report indicates, malicious code writers have moved past the fame game and are now seeking financial gains for their exploits. This means there is little motivation in writing a piece of malicious software just to crash a cell phone, apart from proving that it can be done. But the bigger impetus may be to obtain Internet banking passwords stored on a smart phone.

The more imminent danger is an increase in mobile spamming and phishing scams.

This begs the question: When will mobile commerce take off? Despite the grand dreams of making mobile transactions commonplace, they remain just that--a dream. It took nearly five years for text messaging to take flight in Singapore. Three years on, response to MMS can be described as lukewarm at best. How many years will it take for users to accustom themselves to streaming videos, video conferencing and Net banking on their 3G handsets?

The more imminent danger, in my view, is an increase in mobile spamming and phishing scams, and not malicious programs wreaking havoc over the airwaves.

Furthermore, viruses and worms tend to be OS-specific. When it comes to feature-laden 3G smart phones, there are a number of platforms being used: Microsoft Windows, Symbian, Palm--just to name a few. Even with the more popular platforms like Symbian, there is fragmentation in how it is used by handset makers. CommWarrior affects Nokia handsets but not Sony Ericsson phones, although both companies use Symbian. It would be extremely difficult to develop a platform- and brand-agnostic piece of malicious code capable of spreading to a large number of people within a short time.

Even if a mobile virus manages to proliferate, operators should theoretically be able to contain the damage by providing patches "over the air." Moreover, the use of digital certificates in Symbian and Windows Mobile operating systems should serve as a further deterrent.

Viruses like Cabir and CommWarrior require the user to be a willing party in the infection process. With digital certificates, any attempt to install an application that is outside the "circle of trust" should trigger a user warning. With ongoing education on the PC security front, shouldn't people be better informed to tackle emerging mobile threats?

At the end of the day, having antivirus protection on mobile phones may give consumers peace of mind. But exercising discretion--or in some cases, common sense--goes an even longer way. As security vendors often say: If you wouldn't give your bank account number to a stranger on the street, why would you give it to a stranger over e-mail? Or in this case: over mobile text messages?