INDUSTRY REPORT
Threat From Mobile Device Viruses a Sleeping Giant

Communication security experts do not all agree that cell phone and mobile device viruses pose imminent threats to U.S. consumers. Whether virus attacks become a problem in six months or five years might depend on how cell phone carriers react now to the threat potential.

A Gartner (NYSE: IT) report by security analysts John Pescatore and John Girard released June 22 says that despite the warning signals being sent by antivirus companies, mobile phone users don't really have anything to worry about for two years. They reason that too few U.S. consumers use smart phones or wireless messaging to exchange executable files. They also conclude that the lack of a dominant mobile phone operating system will delay the spread of virus attacks.

Software security firm Trend Micro's (Nasdaq: TMIC) Todd Thieman said that the development of such viruses will hinge on how mobile phone carriers prepare for potential virus attacks.

More Hype than Threat?

"Mobile viruses are more proof of concept now even though they have hit in Europe and Asia. Virus writers are cutting their teeth. It's a numbers game to them," said Thieman, Trend Micro's director of device security marketing. He added that for now, the number of smartphone users is not profitable for virus writers.

Some security experts view the potential mobile virus threat as being more fiction that fact.

"There is a lot of hype in the media about mobile viruses. Antivirus companies like to get consumers worried about the next threat wave," Tim De Luca-Smith, communications manager for Stockholm, Sweden-based a mobile device management company SmartTrust, told TechNewsWorld. "Is there really a threat now? No, not within the next 18 months." SmartTrust provides security services mobile operators.

Software companies that provide antivirus protection view virus threats aimed at mobile devices as the same as PC-based attacks. That logic, however, is not always valid. Writing viruses for mobile devices is not as easy as attacking desktop computers, Smith explained. For example, traditional antivirus products cannot be downloaded and installed on mobile devices to scan the device.

"Antivirus companies do not have the means to update definitions without the help of third-parties to reach the mobile users," Smith said. That function is provided by SmartTrust.

Threat Over-Hyped

Derek Ball, director of business development mobile solutions for Avocent, agrees with Smith that some aspects of the software industry might have a vested interest in ringing the alarm bell over mobile viruses. Avocent markets a suite of products for the security concerns of mobile devices.

"The threat of mobile viruses has been massively over-hyped by the media and the companies selling solutions to a problem that really doesn't exist yet," Ball told TechNewsWorld. "The mobile platform will not be the 'wild West' that the Internet-connected PC was for virus writers."

One reason the mobile virus threat might not reach crisis proportions, Ball explained, is that mobile operating system manufacturers and the carriers have a much tighter control over the environment. He said they are already implementing procedures such as certificate-based code signing to prevent the execution of malicious code on a mobile handset.

The focus of mobile phone vulnerability to virus infection lies in the type of phone used, according to some security experts. For instance, phones using GSM technology are much more at risk. So are cell phones running the Symbian operating system found in popular Nokia phones.

Feature Phones Less Risky

GSM phones are much more prevalent in Europe and Asia. By comparison, many more U.S. consumers carry phones typically known as feature-rich phones, Thieman said.

"Virus writers aren't interested in feature phones," Micro Trend's Thieman said.

However, if industry analysts are correct, virus writers will not have long to wait for more attractive virus targets. Analysts predict that U.S. consumers will gravitate to the GSM technology as their carriers upgrade service and subscribers clamor for more sophisticated wireless features accessible via the Internet.

Trend Micro and Gartner Dataquest conclude that smartphones will become the fastest growing segment of the wireless space by 2008. Each new generation of phone brings with it more computing power and larger data storage capabilities and removable memory cards.

"Today's typical mobile device has the processing power of desktop computers five years ago," SmartTrust's Smith said. "The sophistication of the smart phone will open more points of access for viruses, especially through enhanced Internet access."

Mobile Landscape

If security experts preparing now for mobile virus threats are correct, some segments of mobile users are at greater risk now than others. According to data from Trend Micro and Gartner, the newest mobile technology poses the worst risk.

The Symbian operating system now has an 80.5 percent market share. Just as virus writers now focus on Microsoft's (Nasdaq: MSFT) Internet Explorer over less popular alternative browsers, mobile viruses already discovered in Europe and Asia have targeted Symbian devices.

Microsoft's Windows for Smart Phones operating system has a 9.7 percent market share. So predictions that the growing acceptance of these devices by consumers will place them at greater risk seems right on target.

The Palm Operating System, at 4.6 percent market share, poses much less virus risk. So do Linux-based devices, with a 4.4 percent market share.

Research In Motion (Nasdaq: RIMM) (RIM) devices have the lowest market share today, at 0.8 percent.

Mobile Virus Samplings

Most of the viruses targeting mobile devices to date have been proof of concept rather than fully developed attack code. The damage done includes screen defacing, application disabling, and in severe cases, complete shutdown of a phone requiring a factory reset.

Here is a summary of the most prominent mobile virus threats:

1. Cabir. Discovered June 20, 2004. Platform: Symbian Series 60. Replicates via Bluetooth.

This was the first mobile phone virus detected. Cabir infects mobile phones that are left in "discoverable" mode. If the user clicks yes, the Cabir worm will activate and show a dialog that contains the virus name, the author's initials and the group initial.

2. Win CE DUTS. Discovered July 17, 2004. Platform: Windows CE for Pocket PCs. Replicates via file sharing/e-mail.

The only sign of infection is a window that asks a user if the code is allowed to spread. DUTS code often includes a message derived from the science fiction book Permutation City by Greg Egad that reads, "This code arose from the dust of Permutation City."

3. Win CE BRADOR. Discovered Aug. 5, 2004. Platform: Windows CE for Pocket PCs. Replication is through manual installation.

When Brador has installed itself into the system, it will read the local host IP address and e-mail that to the virus author. After e-mailing the IP address, the backdoor opens a TCP port and starts listening for commands from it. The backdoor is capable of uploading and downloading files from PDAs, executing arbitrary commands and displaying messages to the PDA user.

4. Qdial. Discovered Aug. 12, 2004. Platform: Symbian Series 60. It replicates when users download what they think is the Mosquitoes game from the Internet or peer-to-peer file-sharing networks.

Dial sends an SMS message to specific premium rate numbers and can charge affected users for the sent messages. Apparently, the affected numbers are from the United Kingdom, Germany, the Netherlands, and Switzerland regions only.

5. Skulls. Discovered Nov. 21, 2004. Platform: Symbian Series 60. Replicates via download from Symbian shareware sites

   Skulls pretends to be a visual theme for Nokia 7610 smartphones. Various versions of the Trojan turn application icons into a skull graphic and mismatch icon labels in order to disable all applications except voice calling. Later versions only placed a skull in the background of the phone's screen.

6. Velasco. Discovered Dec. 29, 2004. Platform: Symbian Series 60. Replicates via Bluetooth.

The velasco.sis file will not arrive automatically to the target device, so a user needs to answer yes to the transfer question while the infected device is still in range. When the Lasco.A worm is activated, it will start looking for other Bluetooth devices and starts sending infected velasco.sis files to the first device it finds. After the first target phone is out of range, Lasco.A will continue searching and infecting other phones. Keeping a phone's Bluetooth visibility setting in "hidden" will prevent infection.

7. Locknut (Gavno). Discovered Feb. 1, 2005; Platform: Symbian Series 60. Replicates via download from Symbian patch sites.

Locknut.B is another malicious .SIS file that pretends to be a patch for Symbian Series 60 mobile phones. It disables the phone so that it can only be disinfected with a special disinfection tool. When installed, Locknet.B crashes an important system component, preventing any program from being launched. It also copies Cabir.V to the phone, but since Locknut.B prevents it, too, from being launched, it causes no immediate harm. It was renamed from Gavno because that word is explicit in some Eastern European countries.

8. Comwar. Discovered March 7, 2005. Platform: Symbian Series 60. Replicates via Bluetooth.

ComWar is the first worm to use MMS messages in order to spread to other devices. MMS (Multimedia Message Service) is a method of transmitting multimedia files, such as graphics, text messages, video clips, etc., over wireless networks, using the WAP protocol. If it is run within the first hour of the 14th of any month, ComWar.A resets the cell phone.

9. Dampig. Discovered March 8, 2005; Platform: Symbian Series 60.

Dampig pretends to be a crack for version 3.2 of the FSCaller application. The Dampig trojan disables some system applications and third-party file managers and installs several variants of Cabir worm on the phone. This Trojan disables Bluetooth UI, system file manager, messaging applications and phone book on the infected hand-held. Also, Dampig will corrupt the uninstallation information in the system installer so that it cannot be uninstalled without being disinfected first.

What's Next?

U.S. mobile carriers control the mobile devices consumers can buy more closely than their foreign counterparts. This might slow down the vulnerabilities to mobile virus attacks, security experts said.

Carriers are also worried that consumers will hold them directly accountable for virus attacks since the carrier controls the equipment, analysts said.

So does this mean that there will not be attacks in some form on mobile devices used by U.S. consumers?

"Of course not. They are too juicy a target to pass up, Avocent's Ball said. "However, it is unlikely that the threat to mobile devices will come from traditional viruses or even the proof-of-concept viruses that have been circulated to date."