It's the night of the Big Game. You've just concluded a business meeting in a strange part of town, and you stop into a sports bar for a drink and a chance to catch some of the action. Five minutes turns into 10 into 20, and suddenly you realize you're very late for your call home. You reach into your pocket and pull out your Bluetooth-enabled smart phone, but you can't dial out. A message across the display says that someone from a Panasonic phone wants to send you a message--yes or no? You look around and quickly realize that you probably don't know anyone at the sports bar, so you thumb no. The message returns. And the message keeps returning. Do you know what to do next? Do you even suspect or realize that your mobile device is about to be infected with one of about 150 known mobile-device viruses?
Mobile viruses are rare in the United States
At this week's RSA Conference in San Jose, California, I sat down with Mikko Hypponen, director of antivirus research for F-Secure, to talk about mobile-device viruses. F-Secure just happens to be based two miles down the road from Nokia's Finnish headquarters, and it's not too surprising that Nokia S60 third-edition phones--Nokia N71, Nokia E60, Nokia E61 and Nokia E70--will soon come preinstalled with F-Secure Mobile Anti-Virus. But Hypponen has been on a private crusade for about two years now, chronicling on the F-Secure blog site the rise in mobile-device viruses. He's been tracking the spread of Cabir, a virus that has used Bluetooth to infect users in some 30 countries worldwide, including the United States. So why aren't mobile viruses well known in this country?
A mobile-device virus could one day steal your identity or lock you out of your house.
In order for there to be mobile viruses, there must be a dominant operating system. After years of proprietary, and therefore diverse, operating systems, smart-phone manufacturers have begun adopting Symbian 8 as their platform of choice. Hypponen estimates that Symbian has about 70 percent of the world market for all phones, and Microsoft Windows Mobile about 10 percent, while the rest is a combination of lesser-used platforms (such as Palm OS). "But in the United States, Symbian is only about 10 percent of the market." Thus, we haven't seen or been affected by mobile-device viruses, as Europe and Southeast Asia have.
More than once during the RSA Conference, I heard how smart phones will soon replace our laptop or desktop PCs, if not our credit cards and personal keyrings. With this in mind, the idea that a virus could cripple your smart phone starts to take on much more meaning than just not being able to make a personal phone call; a mobile-device virus could one day steal your identity or lock you out of your house. Here's what F-Secure's research has found.
Mobile devices can get infected in four known ways, with Bluetooth the most pernicious. You'd think that after years of e-mail-based computer viruses, people would know how not to infect themselves with a virus--that they shouldn't, for example, open an attachment sent by a stranger. But in the opening scenario, the new message prompt keeps coming and you absolutely, positively have to make that phone call home now, so, out of frustration, you submit and thumb yes. The messages stop coming, and you make your phone call, but your smart phone has been infected, and it's broadcasting out to whatever Bluetooth-enabled devices are in your immediate vicinity.
What should you have done instead? Just walked away.
Hypponen points out that Bluetooth has a limited range. Once you leave that range, you stop getting the new message prompt, and you'll be free to make your call. Most people don't realize this. The most common response when Hypponen's company asks, "How did you get infected?" is that victims answered yes so that they could make a call. And like a human virus, once someone's mobile device becomes infected, it's likely to pass that infection to another, then another. Hypponen says F-Secure has documented a Finnish business man who returned from a business trip to India and proceeded to walk around his town with the Cabir virus broadcasting itself to whatever Bluetooth-enabled devices it could find. Soon, Cabir began to show up in other European countries. Europe and Southeast Asia still have the largest concentration of Cabir infections in the world.
Hypponen demonstrated a second way a mobile device can become infected. He produced from his pocket a memory card preinfected with the Skulls Trojan, another mobile-device virus. Since the Trojan doesn't propagate via conventional means (Bluetooth or e-mail), there was no danger to other mobile devices in the immediate vicinity--so long as we didn't give any of them our infected memory card. But within 10 seconds of his inserting the infected memory card, his mobile smart phone was infected; tiny skulls began replacing icons on the desktop screen. "The memory card circumvents the built-in security," he said. If people start sharing memory cards to swap photos and music on their phones, we could start to see viruses spreading much faster in the mobile universe. This method might also install a Bluetooth virus.
MMS viruses and downloads
A third way for a mobile device to get infected is via a Multimedia Message Service (MMS) virus such as Commwarrior. With MMS, you don't have to be in the vicinity of another mobile device; an infected mobile device can send an MMS message to anyone in the world. So, using the phone books of infected mobile devices, Commwarrior has traveled the world--again, using smart phones based on the Symbian OS. But here, the phone service provider can filter out infected MMS messages, and many have done so. Thus, Commwarrior hasn't proven to be a major threat to mobile devices.
Hypponen expects all mobile devices to have some form of antivirus protection in the very near future.
Finally, the fourth method of mobile-device virus propagation is to embed the infection within a download--a common practice with PC-based viruses and spyware. Here, you can imagine people downloading a custom ring tone or a new mobile-device game only to find their smart phone disabled.
Protection is coming
Like F-Secure, McAfee and Symantec also have mobile antivirus apps on the market. All three antivirus vendors have partnered with Nokia and other smart-phone manufacturers around the world to provide preinstalled protection. Hypponen expects all mobile devices to have some form of antivirus protection in the very near future--whether that will take the form of antivirus-OS partnership, antivirus-manufacturer partnership, or end-user choice of antivirus app is unclear.
Mobile-device viruses are not currently linked with organized crime because there's no financial incentive. Yet. Once people start online banking using their mobile devices or using mobile devices as debit cards or the authentication method of choice, you can expect that to change.
Would you consider buying a smart phone with antivirus protection installed over one without it? Talk back to me.