Handhelds: Here come the bugs?

Even though there are less than a handful of ineffectual viruses and Trojan horses on mobile devices, security companies think now is the time to push their wares.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
5 min read
It's a mobile security catch-22.

Taking to heart the criticism that handheld computers are a security hazard, more than half a dozen antivirus software makers have recently released applications that prevent malicious code from entering corporate networks via mobile devices.

Yet what some would praise as foresight, others are criticizing as overly fierce marketing. In fact, the flood of new software has several security researchers arguing that the antivirus companies are hyping what is currently a minimal threat and that the software, rather than helping, is highlighting insecurities in the devices.

"I wouldn't say that they advertised (mobile-device viruses) into existence, but there is little to be gained when you have detection for a platform without any (damaging) viruses," said Roger Thompson, technical director of malicious code research for security services company TruSecure.

The problem, he said, is that no truly dangerous virus or Trojan horse has yet been created for mobile devices, making antivirus software for them simply protection for the paranoid.

"It's putting the cart before the horse," Thompson said.

The situation underscores the schizophrenic relationship antivirus software makers have with the threats they protect against: Too many warnings lead critics to accuse the companies of hyping the issue; too few warnings and companies risk being seen as dropping the ball.

Some security experts say the antivirus companies are leaning toward hype. In March, three major software makers released virus protection for the Palm OS-based personal digital assistants (PDAs) and other devices, declaring that mobile and wireless devices would soon become the newest front in the war on malicious code.

"PDAs are no longer immune to security threats," Risto Siilasmaa, CEO of Helsinki-based antivirus software maker F-Secure, said March 7 in a statement announcing the release of his company's antivirus software. "There's no way to predict when the next virus will occur."

Worst-case scenario
The worst threat: Once handhelds are connected to the wireless Internet, viruses--and their cousins, worms--could quickly spread throughout a large number of devices.

Santa Clara, Calif.-based Network Associates called viruses and Trojan horses an "emerging security threat" to mobile devices in its release earlier this month announcing its second component of antivirus software to protect Palm, Windows and EPOC devices earlier. Cupertino, Calif.-based Symantec has heralded handhelds as "increasingly at risk" and plans to release its own protection for Palms later this month.

At present, however, only a handful of digital viruses have targeted handhelds.

In August, Palm owners had to watch out for the Liberty Crack Trojan, a program advertised as a way to circumvent--or crack--the popular Liberty program for playing Nintendo Game Boy titles on the Palm.

A month later, researchers at two antivirus companies discovered the first virus, called Phage 1.0, that infects programs on Palm devices. The virus would infect all the programs on a Palm whenever the infected program ran.

Smart phones--which combine cell phones with handheld functions--and mobile e-mail are in the sights of virus writers as well. Last June, Timofonica, a variant of the LoveLetter virus, spammed thousands of mobile phone owners in Spain by routing e-mails through an Internet-to-cellular gateway. In Japan, a Trojan horse that appeared on I-mode phones caused the devices to dial the country's emergency-services number.

Those viruses largely failed. Yet people are still worried, said antivirus company Central Command, which released its own protection in December for handhelds that use the Palm or Windows CE/Pocket PC operating system.

The Medina, Ohio, company surveyed more than 3,000 people and found that almost no handheld owners used antivirus protection, even though 81 percent stated that they worried about future viruses that could infect their mobile devices.

Taking out insurance
Such worries could drive the market. Even if a threat doesn't materialize, corporations will need to buy the software as an insurance policy against a mobile virus catastrophe, said Chris Christiansen, an analyst with market researcher IDC. Although such software garnered a measly $2 million in 2000, he expects the industry to net more than $800 million in 2004

"Basically, it's for the truly paranoid and really leading-edge companies," Christiansen said. For them, "the question is not if there will be a virus attack--it's a question of when. It is inevitable that there will be a massive, extremely serious virus attack on mobile devices."

Even Rob Rosenberger, editor of the Virus Myths Web site and a frequent critic of the antivirus industry, supports the industry's choice this time around.

A few years ago, he criticized Symantec for highlighting security issues with JavaScript that he believed would quickly lead to a virus. He now admits he was surprised when no virus materialized for more than two years.

That experience would indicate that having protection when there is no threat is better than not being protected when the real threat comes around, he said. "It beats coming up with a product out of the blue. I don't think people need it right now, but it will be ready when it comes out."

Yet security experts maintain that reality does not support the marketing.

"We are still several years off from the threats," said Dave Kroll, director of security research and marketing for Finjan Software. "Virus writers gravitate to what is easiest and effective. Why do something through a PalmPilot when you can go directly to a PC?"

Two words: Backup plan
The ability to sync makes the data on Palm-, Pocket PC- and EPOC-based devices able to survive the damage of today's malicious code. Because most people sync their devices with a PC, even if a virus or a Trojan horse wipes out their data or programs on the handheld, re-syncing will generally restore any lost information.

"People always back up their data," said TruSecure's Thompson. "Unless people get something that goes across the platform, there is really not much of a (security) issue."

Corporations worry about the same thing: that a virus or Trojan horse will spread from PC to PC within a corporate network when employees sync their infected handhelds. To date, such a scenario hasn't arisen.

Even the antivirus software makers themselves play down the necessity of protecting one's handheld against viruses and Trojan horses.

"We think the threat level is low," Trend Micro spokeswoman Susan Orbuch said. "That's why we are offering (our product) for free." In February, Trend Micro released its own version of antivirus software for Palm and Windows CE/Pocket PC devices.

Vincent Gullotto, director of Network Associates' antivirus emergency response team, agrees. "From a threat perspective, no, you don't need it," he said. "But this is an area that network managers should become familiar with."

Gullotto said he believes that virus writers will target Pocket PC mainly out of spite toward Microsoft and because "it might not take much to take an existing threat that works on the PC and convert it to the Pocket PC as well."

"We have really tried not to hype the situation," Gullotto said. "It could be two years out that nothing happened and we haven't sold anything, but at least we were prepared."