Experts are divided over the potential impact of mobile viruses but, Tony Dennis explains, as customer perception of the threat increases, operators will have to act.
When it comes to evaluating the threat from viruses and other forms of ‘malware’ (malicious software), the mobile phone sector has reached something of a crossroads. Hackers have been experimenting with malicious code aimed at mobile phones for some time now, so it seems natural to assume they’ll do serious harm eventually.
Not everyone agrees that there is a serious threat. Even so, mobile operators must be seen to respond. But how? Do they simply make virus-checking software available to their subscribers? Or do they protect their own networks with anti-virus servers? Perhaps, the ideal solution is a mixture of both approaches?
There are still those prepared to argue the threat from viruses is minimal and merely the result of scaremongering. To date, it has been smartphones powered by the likes of Windows Mobile, Palm OS and Symbian which have proved to be the most vulnerable to such attacks. Since such devices have formed only a fraction of overall handsets sales — even though smartphones sales are rising — some companies view the threat as being exaggerated.
At mobile banking specialist, Meridea, the company’s ceo, Jukka Riivari claims, “Viruses require a uniform infrastructure to effectively infect targeted devices. But not all mobile phones are alike, and their ‘complexities’ make it hard for mobile viruses to be a significant threat.”
Others dispute this viewpoint. David Emm, a senior technology consultant with Kaspersky Labs, comments, “Cabir, the first worm for mobile phones, was discovered on June 14th 2004 and threats aimed at smartphones have continued to appear, with several of them based on the source code for Cabir. The threats we’ve seen so far include a virus, worms and several Trojans. In other words, the same types of threat that have plagued PCs during the past 20 years.”
He adds, “We estimate that some time within the next two to five years, mobile viruses will become a serious problem.”
Significantly, the first ‘proof-of-concept’ style virus appeared as far back as March 2005. This virus was capable of propagating itself via MMS and was intended to prove (the concept) that a mobile virus was indeed achievable. Although it was restricted to Symbian based devices, Commwarrior was far more threatening than Cabir which could only make ‘one hop’ from device to device via Bluetooth. It therefore only threatened those handsets in its immediate vicinity.
Things changed radically with the discovery of a virus called ‘Redbrowser A’ — for two very good reasons. First, this virus attacked handsets capable of running Java applications. Instantly this meant that mid-range mobile phones were vulnerable. Although only specific (MIDP 1.0 handsets) were the real target, Sun Microsystems has estimated that at least 125 existing handsets running J2ME (mobile Java) were potentially at risk. The outbreak was confined to mobile networks in Russia (partly for language reasons). Secondly, and perhaps more significantly, Redbrowser A was designed to make money for its perpetuators.
As David Frazer, director of technology services with mobile virus specialist, F-Secure, explains, “Almost all mobile viruses so far have been limited to smartphone platforms like Symbian and have been proof-of-concept by design — meaning that they have been developed more to test the limits and weaknesses of the wireless network rather than as a means of achieving financial gain [like Redbrowser]. “According to Mark Murtagh, technical services director, with mobile security specialist, Websense, this Russian virus was created to generate messages from premium rate lines to be sent to the infected handset and the users “weren’t even aware that they were being charged around £1.50 per text to receive them.”
Statistically-speaking the threat from viruses is very definitely growing. Virus specialist, Fortinet, has calculated that the number of mobile viruses and mobile Trojans increased by more than 500% last year [2005] to over 100 unique threats. This compared to less than 20 in 2004. Rival virus specialist, Trend, has collated the number of threats identified in-the-wild (ITW) as reaching a peak of nearly 2,000 a month in November 2005. More worryingly, Trend has identified the first cross-platform virus — Cardtrap A — capable of infecting a handset’s memory card with a worm. When the infected card is inserted into a Windows based computer, it can then distribute the carried viruses. Furthermore, Trend has also discovered a virus which attempts to gather contact details and send them to another mobile device. Labelled Pbsteal A, this was, in effect, the first information-stealing threat for mobile phones. In the PC world the technique
for stealing personal information is rife and commonly known as ‘phishing’.
One reason why the threat from viruses has been dismissed is that, “The initial evolution of the mobile market provided a good means of natural security from viruses,” claimed David Sym-Smith, a vp for business development, with Innopath Software.
“Diverse devices and no dominant operating system made it extremely difficult even for the most advanced virus writers. The storage capacity on most devices was miniscule and even if attackers could manage to get their malicious code onto phones, the code couldn’t be complex enough to cause significant damage,” Sym-Smith argued.
That’s all changing with the introduction of MP3-enabled handsets sporting Gigabytes of memory storage – either in the form of memory cards or hard drives. Dual processor handsets are commonly available and the latest smartphones arguably have more power than some PCs. So the danger of a virus has increased immensely.
Arguing against a great virus threat, Peter Whale, strategic product marketing manager with TTPCom maintains that “Java [on mobile phones] is very fragmented, so any virus is likely to be restricted to particular make/model numbers.” As indeed is the case with Redbrowser A which infects a small number of models (mainly Nokias). “This fragmentation will make it harder for viruses to spread,” Whale asserts.
Conversely, as an Openwave spokesman highlighted, “Mass market devices can be attacked. Even the most affordable mobile handsets contain powerful messaging capabilities and are interconnected by a range of advanced networking technologies.” An email is the commonest means of conveying a virus in the PC world. Furthermore, Kaspersky Labs’ senior virus analyst, Aleks Gostev, points out, “More mobile devices will be able to connect to each other, as well as to the internet. The one thing these devices have in common is that they are portable, and able to transmit data via Wi-Fi (WLAN). An epidemic caused by mobile malware could be on a far larger scale than anything we have seen so far.” Despite the existence of divergent views on the extent of the virus threat, there is a general consensus that the mobile operators need to react to customers’ concerns.
As Tim de Luca-Smith, a spokesman with SmartTrust explains, “There are far fewer mobile operators than there are ISPs. Plus, companies like O2 have expended great efforts on building their own brands. When customers become worried about viruses, it’s their operator they turn to first.”
Additionally, Purvi Parekh, a partner with DLA Piper Rudnick’s communications practice, explains that there may well be a ‘duty of care’ for operators to protect their customers from malware. “It’s untested in the courts,” she reveals Presently there’s no clear indication as to whether customers could sue operators if content delivered over a mobile network resulted in loss of revenues, profit or business opportunities, according to Parekh.
One company with plenty of experience in combating malware is, of course, Microsoft. “Protecting the edge of the network first is the most effective and most efficient defence strategy,” Peter Wissenger, group lead with Microsoft’s mobile and division, suggests. “Mobile carriers cannot afford to let a virus into their network at any point. Once it’s in, the damage is done and the risk of it impacting the end-user experience is very high.”
The vendor claiming to be the first to respond to this particular requirement is Ericsson. Known as the Ericsson Mobile Device Antivirus solution, its solution offers centralised control over antivirus and SMS spam protection. The initial version of the product works with smartphones running either the Symbian OS or Microsoft’s Windows Mobile OS. Katarina Löweberg, director for mobile applications with Ericsson Enterprise, claims, “For the first time, mobile operators now have a way to offer their enterprise customers centrally-managed protection for smartphones against malicious mobile code such as SMS spam and viruses.”
The Ericsson offering is based on Trend’s micro mobile security product. Other vendors are scrambling to follow suit. For example, Cisco has tied up with AdaptiveMobile to offer solutions to combat threats from mobile viruses and spam.
Microsoft’s Wissenger believes, “End user controls should be seen only as a last line of defence, because once a debilitating virus hits the end user, the battle is already lost.” That said, it hasn’t prevented Microsoft from closely co-operating with market leading vendors of security products including Computer Associates, F-Secure, Symantec, McAfee, JP-Mobile Developer One, Information Security and Illium Software to produce products suitable for Microsoft based handsets. There’s even a section on the Microsoft Web site which lists Smartphone and Pocket PC compatible anti-virus packages from a wide range of suppliers including Bullguard and Airscanner.
Some operators have taken direct action themselves. At Orange Switzerland, Martin Troxler, director of business excellence, sees the danger of virus attacks on handsets as being quite small. “Nevertheless, both individuals and companies are showing a great deal of interest in a simple, cheap, effective security solution,” he explains. Consequently Orange has enabled F-Secure’s Mobile Anti-virus to be downloaded directly to a mobile phone from the Orange World portal. Once the software has been installed, automatic updating can be enabled and the mobile phone can be checked for viruses. Additionally, the mobile phone will check for and install the latest software updates, either via SMS or by a GPRS/3G data link.
Once installed, the danger with any anti-virus package is that it will become outdated – thereby lulling its owner into a false sense of security. This has lead several vendors, such as Innopath, to advocate over-the-air (OTA) mobile device management solutions. “If a virus became widespread, a mobile operator could be forced to offer a firmware update,” claims Carsten Brinksculte, CEO with another OTA supplier, Synchronica. “Traditionally, this is done via cable and a visit to a service centre. Using OTA firmware updates, mobile operators can offer an instant fix to large numbers of users.”
Overall, the general consensus is that once subscribers perceive that there is a danger from viruses — thanks to the huge publicity they generate — operators will be forced to react. “As phones become more sophisticated, it is inevitable that the number of viruses will increase but they are unlikely to proliferate to the extent that they have over the internet,” argues Tom Weiss, author of Mobile Strategies. “Because the operators tend to provide the handsets as well as the network, it is likely that they will provide end-to-end virus protection solutions that have only been available from third party sources on the internet.”