Stemming the Mobile Malware Flood

By David Geer

In 2006, global sales of mobile telephones surpassed 1 billion units per year according to Strategy Analytics, an international research firm based in the United Kingdom. This number is expected to rise to 1.1 billion units in 2007. The growth in this market means that cell phones are increasingly at risk as targets for mobile malware writers.

There are still many more threats to PCs than there are to mobile units. With advances in technology, however (smartphones, for instance), it is difficult to tell the difference between a PC and a mobile phone, says Johannes B. Ullrich, chief technology officer of SANS, one of the largest sources of information security training and certification in the world. Both malware devised for PCs and malware devised for phones can impact mobile devices, which increases the risk of infection as the numbers of phones and threats multiply.

Phone-specific threats alone, however, can also be quite severe. A recently discovered threat dubbed "snoopware" remotely activates the microphone on mobile phones. According to Ullrich, this malware allows attackers to eavesdrop at any time, regardless of whether or not the phone is actually in use. In addition, this particular threat provides access to the calendar stored on most of these devices, which allows an attacker to choose key conversations and meetings to listen in on.

With persistent growth in this market, the size of the target-and the number and severity of threats-will undoubtedly continue to increase. Here are five tips to foil the coming malware flood before it arrives:

1. Address Bluetooth

Viruses follow the path of least resistance. In the mobile market, the path flows directly from phone to phone via Bluetooth. Bluetooth connections, however, can be managed or turned off.

Many people use Bluetooth headsets. In this case, the option of a white list should be utilized. Employees using a Bluetooth headset should put it on a white list so the device will not broadcast its presence.

"Like any wireless network, you are not controlling the medium and you will not be able to restrict access attempts from random users. In particular, make sure your Bluetooth device will not 'pair' with random devices and customize the Bluetooth PIN," says Ullrich, noting that many devices (headsets in particular) will not allow custom pins.

2. Use antivirus software such as Symantec Mobile Security for Symbian or Mobile Anti-Virus for Windows Mobile

3. Add a mobile firewall for dual-mode phones (the ones that use WiFi as well as cellular; Mobile Security for Symbian comes with a firewall).

4. Educate the end-user

Today's mobile phones are more computer than phone. But people see them the way they do landlines: (a) they always work, (b) they can't hurt anyone, and (c) everyone who calls must be a friend.

Many viruses repeatedly ping the phone until the user either turns off the device or accepts the call. Most people just get frustrated and hit the OK button. Instead, they should be careful to not accept anything from anyone they don't know, just as with email. "It's just like for any malware: Don't click," says Ullrich.

Most examples of mobile malware require some user interaction to install it on the phone. Over the course of time, notes Ullrich, it's likely that threats will be developed that do not require user interaction. "In these cases, we depend on the end user (or additional software like malware detection) to recognize the problem."

5. Mitigate the high risk of mobile phone loss

The probability of losing these devices is too high to ignore. Ullrich contends that it's already creating a security issue, in particular with phones that store addresses, documents, or email. "Many PDA/phones can store spreadsheets and text documents. Some of them may be confidential. In many cases, the address list itself is considered confidential."

With its April release, the Symantec Windows Mobile security offering will include a file activity log and a remote wipe and kill feature. Enterprises can mitigate phone loss by scrambling the data remotely with wipe and kill after retrieving the file activity log. The log can be used to determine whether files were accessed, pulled from the phone, deleted, or copied to another device.