Security giant McAfee says 2006 may be the year that malicious software takes off on increasingly connected and unprotected smartphones.
The security software vendor warned of an alarming growth in mobile Trojans and other malware, which are likely to impact mobile phones on a global basis and cause more damage because the devices generally lack the anti-virus and other defenses that stem PC attacks.
However, other experts downplayed the risk, pointing to less value in targeting mobile devices and indicating the damage to smartphones from such attacks is typically limited to draining down the battery.
“That’s the number one impact of these things so far,” VeriSign iDefense senior engineer Ken Dunham told TechNewsWorld.
Still, McAfee called the growing mobile threat “a serious cause for concern” in its 2006 Threat Forecast, indicating the increased connectivity of smartphones will lead to a quick transition of attacks from PCs to the converged devices.
The company predicted that the damage caused by new mobile threats will be more extensive because of the large number of smartphones, only a small percentage of which are protected by mobile security software.
“For example, in 2004, the ‘I Love You’ virus penetrated tens of millions of PCs in just a couple of hours despite the fact that half of all PCs had Internet security software installed,” McAfee said in a statement. “By comparison, a mobile threat targeting several operating systems could infect up to 200 million connected smartphones simultaneously because the majority of these devices do not currently have mobile security protection installed.”
McAfee reported that since the inception of malware, the mobile variety had grown almost 10 times faster than PC malware over a comparable period of one year.
Dunham said there had been an increase in the number of mobile malware threats, but he added the information and resources of PCs made them a more attractive target for attackers.
“It’s really been lower level and long overdue for what people expected a few years ago,” he said of mobile threats.
Dunham said that while there is more malicious source code and discussion of mobile attacks among the “underground” of attackers, their focus is still primarily attacking PCs and using malicious code to profit.
“It’s out there and you can find it, but it is a small subject compared to everything out there that you can learn about,” he said.
Dunham did say, however, that a fully automated worm that targeted the Symbian or other widely-used mobile platform and required no user action for attack would be cause for concern.
“If that takes place, you’re going to see a significant and noticeable attack take place,” he said.
Still, Dunham described the mobile threats as being “script-kiddie” class, meaning that perpetrators are more focused on proof-of-concept and reputation, as opposed to profit from identity and information theft on the PC platform.
“I don’t expect to see a massive explosion [of mobile attacks] in 2006, but I do expect it to keep increasing,” he said.
Getting a Grip
DataComm President Ira Brodsky told TechNewsWorld that mobile phone systems and networks are more closed than the Internet, making attacks on such platforms more difficult.
“I think the industry does have more control and there’s no reason not to try to maintain that control,” he said.
Brodsky added while mobile Internet browsers and downloading ringtones do represent a degree of risk, mobile operators also control that aspect of mobile devices.
“I think the cellphone industry doesn’t have to play by the same rules as the Internet,” he said.