Jan 25, 2005 (10:01 AM EST)
Mobile Viruses Just Getting Started

Read the Original Article at InformationWeek

While viruses that attack phones are few and far between now, when they get traction -- and they will -- the lousy state of security in smart phones means trouble for users and providers, an analyst said Tuesday.

Most of the mobile malicious code that's popped up so far -- such as Cabir, a worm that's spread to several countries via Bluetooth-enabled phones -- isn't dangerous or destructive, said Brian Pellegrini, a wireless analyst with ABI Research.

The sorry state of malicious code directed toward mobile devices, said Pellegrini, is due to the small base of smart phone users. "First of all, there's not a lot of out there [using smart phones] to be infected or start complaining about viruses," he said. "And because the numbers are small, phone are just starting to be noticed by virus writers."

That will change, Pellegrini contended, as the numbers of smart phones balloons. "Smart phone use has grown by leaps and bounds," he said, noting that the numbers doubled from 2003 to 2004, and growth is expected to continue through the decade.

Down the road, then, today's complacency could haunt of users and mobile service providers.

"It wouldn't be that tough to create a virus that would buy a thousand ring tones," said Pellegrini. "If something like that hit just Verizon, and every one of its 42 million users were charged $10 extra, think how much that would cost Verizon. Think what a nightmare that would be to clear up."

A virus or worm could easily wreak that kind of havoc, said Pellegrini, since cell phone purchases like this are billed through the user's account, with no additional authorization necessary.

"On the PC, someone was smart enough to demand that users enter their credit card numbers manually [when they purchase online]," said Pellegrini. "Not the case with phones. Mobile will need much more stringent security, and soon."

What will fuel the surge in mobile attacks, Pellegrini said, is the increased use of a standardized operating system by multiple phone makers and a growing population of hackers able to program for smart phones. The first, he said, "will make it really easy for virus writers to target phones," while the second can be jump-started in the same way it has been for PC hackers: releasing source code or automated tools that even the lamest attacker can figure out.

When the source code for Cabir was released, for instance, security experts immediately noted variations that spread faster and easier.

Some security firms have launched anti-virus products for mobile devices, and the mobile infrastructure has an advantage over the Internet in that the few large mobile providers "guard their networks religiously," according to Pellegrini. "They'll provide an extra layer of protection that most Internet service providers still don't offer."

Within the next year or two, Pellegrini expects that buyers will be factoring in the security of phones' operating systems when they make their purchase.

And when that happens, they may be taking a good look at Microsoft's mobile operating systems. In a turnabout from the PC world, where Microsoft's Windows lays claim to the lion's share of the desktop, in the mobile world Microsoft is a very poor second.

"Symbian owns about 85 percent of the market," said Pellegrini, "and so it's the current target of most mobile viruses, and will continue to be. It's a target of opportunity kind of thing," he said, adding that no matter what the platform, virus writers create to get the biggest bang for their hacker buck, which means writing for the dominant operating system.

"They're ready to put aside bad feeling for Microsoft if it means they're able to reach a bigger group of users," he said.