The viruses that can stop mobiles in their tracks

As hackers shift their focus to infiltrating smartphones, Stephen Pritchard sees how the industry is facing up to the threat
Click to follow
The Independent Online

It the World Athletics Championships in Helsinki this year, athletes and spectators were invited to download an application that would show event results on their mobiles. But a hacker exploited a security loophole in smartphones to deliver a virus over the Bluetooth radio network. So many people were infected that the authorities had to set up a special booth to remove the virus from their handsets.

Telecoms companies and business users alike are waking up to a new threat. The security industry had been sceptical about mobile viruses; although a number of researchers had demonstrated they were possible, only a handful of smartphone users had been affected until recently. That is starting to change.

Risto Siilasmaa, the chief executive of F-Secure, a Finnish computer security company, says the threat to mobile phones is growing more rapidly than PC viruses did in the 1990s. At the EU-backed ISSE (Information Security Solutions Europe) conference in Budapest earlier this month, he outlined the scale of the problem: "Mobile viruses have been found in 30 countries. Operators have had to block multimedia messaging traffic, and 3.5 per cent of MMS traffic is already 'malware' [programs designed to cause harm]."

Although smartphones - mobile handsets that run the Microsoft, Linux, Symbian or Palm operating systems - account for just 5 per cent of the worldwide mobile market, that is still a huge number of users when you consider there are two billion handsets in use.

And the people who buy smartphones tend to be the very ones who rely heavily on them for communications and are likely to send and store sensitive information. This includes technophiles, self-employed professionals, corporate executives and government officials.

Mr Siilasmaa points out that 55 mobile viruses are known - a tiny number set against the 145,000 or so recorded viruses, Trojans and other malware that affect PC users. But a year ago there were no recorded mobile viruses outside the labs. The PC versions, he adds, did not spread that quickly.

Some observers dismiss the threat, suggesting that some anti-virus and security companies are snake-oil merchants. Even computer security firms are divided on the scale of the problem.

John Thompson, the chief executive of Symantec, the world market leader in anti-virus technology, is cautious. The spread of malware on portable devices is inhibited by the plethora of incompatible operating systems, he explains. One reason so many people, amateur hackers and hardened criminals alike, target Windows PCs is their sheer ubiquity.

"We see more than 100 new PC viruses a week," says Mr Thompson. "I can't get excited by 55 mobile viruses. We have software that runs on Symbian and [Microsoft] PocketPC and Palm, but 55 viruses does not make for an economic motive [to distribute that software] yet."

Mr Thompson points out that most mobile viruses, such as the outbreak in Helsinki, spread using short-range Bluetooth radio connections. This makes large groups of people in small spaces - sporting venues, conferences or concerts - the most vulnerable. Symantec is confident it has the software to block these peer-to-peer viruses.

More worrying are the ones that spread via the mobile networks themselves. Although anti-virus researchers have witnessed few of these, Mr Thompson highlights a concern. "Who is most hurt when a device such as a mobile phone is down?" he asks. "It is the mobile operator, as the network is not clicking up minutes."

The operators are aware of this. As the percentage of smartphones they sell rises, and more run on standardised operating systems, the risk to revenues from a virus outbreak increases.

Last week, T-Mobile unveiled its new strategy for internet access on the move. Its "Web and Walk" package allows any subscriber to add internet services to their smartphone for just £9.99 a month. This includes enough data to download around 2,500 web pages.

Such innovations can only boost mobile internet use, but they also add to the risk. Cyber criminals are adept at using so-called social engineering techniques to persuade people to click on spam emails and go to websites that ask for personal details. Criminal gangs can sell that information on or use it to commit identity theft.

Plenty of tools are available to large companies and home internet users to protect themselves against such threats. But it is by no means clear that mobile internet users will take the same precautions with what is a personal and familiar device.

T-Mobile is working on a range of technologies to detect viruses and other malware within its network, and it is looking at whether it should make anti-virus software available as a download for mobile internet users. The company has also developed technology that allows it to update the internal software in smartphones automatically, over the airwaves, should a vulnerability come to light.

Other mobile networks are also reviewing their anti-virus measures.

Industry analysts say both smartphone makers and network operators have a window of opportunity to prevent the growth of malware before it becomes a problem on a similar scale to that afflicting the PC world.

"Although there are a lot of data-enabled phones out there, it is still only a small number of people who are using data on their mobiles," says Elaine Axby, of the analysis firm Quocirca. "In the enterprise environments, there are a lot of pilots, and senior managers have devices such as the Blackberry. But we are not yet at the tipping point where there is a mass of devices out there."

The threat, though, is being taken seriously by the European Union. Earlier this year, it created the European Network and Information Security Agency - based, strangely, in Heraklion, Crete - to raise awareness among individuals, companies and governments of cyber security threats.

The agency is carrying out an EU-wide risk assessment that will be published in 2006. But converging technologies such as mobile devices, home entertainment and internet telephony will all come under scrutiny.

In the meantime, the onus is on technology users to protect themselves. Anti-virus software for a smartphone might not be perfect but it is relatively cheap, at around £25 for an annual subscription. And just as on the fixed internet, avoiding the seedier parts of the web is common sense.

As for peer-to-peer Bluetooth viruses, concert goers, conference delegates and sports fans should heed the advice of Elsa Lion from technology consultancy Ovum. "It is fairly easy to stop Bluetooth-based malware," she says. "Just turn off the Bluetooth radio in your phone."