Clock's ticking on phone virus outbreak, experts say

A large-scale virus outbreak targeting smart phones is unlikely to break out for another 18 months, security experts have predicted.

However, after that, even antivirus software is unlikely to help, Gartner analysts John Pescatore and John Girard wrote in a research paper published earlier this month. The paper looks at how enterprises should prepare for the growing threat from malicious software for mobile phones and PDAs. According to the authors, a fast-spreading phone virus or worm is unlikely to appear before the end of 2007.

"Despite this intense vendor- and media-driven speculation -- and several well-publicised hoaxes -- the necessary conditions required for viruses or worms to pose a real, rapidly spreading threat to more than 30 per cent of enterprise mobile devices will not converge until the end of 2007," Pescatore and Girard said.

Two main factors will create an environment that would encourage a virus to propagate, the Gartner analysts said. First, smart phones capable of being infected by malicious software will have to make up about one-third of the market. Second, users of those phones will have to regularly exchange executable files.

"Viruses and worms cannot infect large numbers of wireless devices until at least 30 per cent of users commonly receive emails with attachments," said Pescatore and Girard. "By the end of 2007, large-scale user-to-user sending of more-complex executables will be commonplace. Once smart phones account for 30 per cent of all wireless telephones in use -- likely no sooner than the end of 2007 -- rapidly spreading attacks will be much more likely."

Warren Chaisatien, research manager for Wireless & Mobility at IDC Australia, agrees that there is unlikely to be a major outbreak until the start of 2008.

"Today, the penetration of mobile devices with an operating system capable of being infected by a virus is still relatively small. It is not an immediate concern for CIOs and CTOs. The major concern for virus infection continues to be the PC," Chaisatien said.

'Ineffective' defences
However, the analysts have warned that once smart phones do reach a critical mass, administrators will have to look further than client-based antivirus software, which the Gartner analysts have described as "ineffective".

"Smart phone or PDA antivirus approaches that rely on device software will always fail to block the most damaging viruses," Pescatore and Girard said. "Desktop antivirus software became largely ineffective -- other than as a removal tool after infection occurred -- as soon as email surpassed floppies as the dominant transmission mechanism."

James Turner, a security analyst at Frost & Sullivan Australia, agreed that client-based reactive antivirus protection is unlikely to provide adequate protection.

"Signature-driven antivirus tools are great for hindsight, but we are at a turning point where signatures are not enough… Currently the attackers are testing their tools against the most popular antivirus products, which means the threat they release has effectively been certified against what we are running," said Turner, who believes protection should be provided on the network layer. "We need to place more emphasis on tools that detect anomalies in network traffic and behaviour."

This sentiment was echoed by all the analysts interviewed.

Gartner's Pescatore and Girard wrote: "The mobile world should not repeat the mistakes of the PC world. Malware protection services should be built into the network first, and device-side protection should be the last resort."

IDC's Chaisatien said that it would be ideal if a network was able to recognise and eliminate threats, but he thought the concept was still "futuristic".

"A more futuristic approach is where the intelligence lies in the network -- that would be ideal -- but I don't know how long it will take us to get there. Prevention at the network level will always be better and smarter than using solutions at the device level, but I think it is easier said than done," Chaisatien said.

Mikko Hypponen, director of antivirus research at Finnish security company F-Secure, which has developed an antivirus tool for mobile phones, said that although he does not expect to see a Slammer or Sasser-type virus attacking mobile phones for "a year or two", the attacks have already started.

"Commwarrior is spreading quite effectively via MMS (Multimedia Message Service) already. In fact, I just got a call this morning from the editor of a large Scandinavian IT publication; he got infected on his own phone last Thursday, at a press conference for a mobile phone company," Hypponen said.