Security firms squabble over mobile threats

CA says F-Secure is hyping smart-phone risks, but Finnish company insists threats are real--just not widespread.

Tom Espiner Special to CNET News
3 min read
After launching a mobile-security service last week, Finnish antivirus specialist F-Secure is being accused of magnifying threats to smart phones.

Software and services company CA in a statement Monday said F-Secure is marketing its service, which is designed to help protect mobile devices against malicious software, by carrying out a sustained campaign of hype.

"F-Secure is saying there's a huge risk of malcode spreading, but they've built this up," said Simon Perry, the European vice president of security for CA. "If you look at their behavior, they've consistently pushed this message. But it's a theoretical; not a real threat."

The Finnish company signed a deal with U.K. wireless service provider Orange last week to provide security for the operator's smart devices.

Matias Impivaara, director of mobile security for F-Secure, denied that the company had engaged in hype.

"It's amusing--the idea that I could sell something to an operator that they don't need," Impivaara told ZDNet UK. "Orange had a formal procurement process, where they put the contract out to tender, based on their own analysis. It's a process that doesn't happen by accident."

The company's marketing machine is not so big that it could change the opinion of the world, Impivaara added. "It's flattering for me as a salesperson, but I'm just not that good," he said.

CA, which makes corporate security products and the eTrust consumer protection range, insists that the threat to smart-phone users is minimal and that Orange customers are better off not spending their money on mobile security. "Dig below the skin, and the message stops sounding pithy and starts smelling rather rotten. At the core of the rot is the mostly undeniable fact that there is no threat to protect against," Perry said.

F-Secure accepted that there were few examples of malicious software targeting smart phones at the moment, but it said cases had been seen in the wild. "It's not a global epidemic, but there are real people who have got it. There have been several tens of different viruses. (These are the) early days for mobile virus writers," Impivaara said.

CA said criminals do not have an economic incentive to develop malicious code and that the risk of such attacks spreading around smart phones is minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added.

It said F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product, undermining the relationship of trust that has been established between the industry and vendors.

"While F-Secure's bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market," Perry said. "Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice."

F-Secure's Impivaara responded by saying that both mobile operators and clients had approached the company.

"It could be bad for the industry if we were trying to scare people, but people call us with real problems and real viruses. We have created a solution to these threats for our customers. If we have mobile operators coming to us, we would be quite stupid to turn them down," he said.

"I have difficulty understanding how this can be bad for (the antivirus) business. This is not a mass problem for all consumers. But our solution is available to those who need it, and there are people who need it today," Impivaara added.

Tom Espiner of ZDNet UK reported from London.