When we talk to customers about the future malware landscape, many often wonder when mobile device threats are going to arrive. They are surprised to learn that threats for mobile devices already exist, aren't just proof of concepts, and are actively spreading. Commwarrior, for example, infects Symbian Series 60 devices (for example, many Nokia smartphones) and has been reported worldwide. According to news reports, telephony companies have stated that Commwarrior has accounted for more than ten percent of all of their MMS traffic. Other telephony companies that Symantec has spoken to have specifically implemented filters to block Commwarrior at their gateways due to the amount of traffic it was generating.
While threats exist and are actively spreading, we are probably still years away from the situation we have with the Microsoft Windows operating system. We hope we can take a lesson from history and prevent such a situation, but some lessons seem to be hard to learn. Currently, many natural factors have limited a Windows-type scenario, including the lack of a homogeneous environment (not only is there a variety of existing operating systems and hardware, but there is a mixture of implementations.) Often malicious code writers don't own the devices to experiment with, and some device platforms are closed or limited to only digitally signed software. Those factors don't always apply to commercial companies, but more so to the hobbyist hackers who are creating viruses and Trojans. Software companies who are in the business of making money have more compelling motivations and the funding to overcome the hurdles that face a hobbyist hacker. For example, we have already seen spyware applications for mobile devices (e.g. Spyware.Flexispy) that can monitor activities on the mobile device and then send them to a remote server.
Just as worrying is the fact that the adware market is just beginning to take notice of mobile devices. Already some Bluetooth advertising schemes have been tested, where a bus stop is outfitted with a device that just spams out messages via Bluetooth. However, this method is only partially effective since the device owner generally must accept the message before the message is displayed. Thus, the next logical step is being taken. JCDecaux, a well known advertising company, (often for their billboard and bus stop advertising) has entered into an agreement with INRIA to license a technology that uses software installed on a mobile device that will automatically receive and display advertising that is transmitted via Bluetooth from street furniture. The software will run in the background and eliminate the need for the user to acknowledge the initial Bluetooth warning. In addition, the software will initially collect demographic information from the mobile device owner, potentially opening the door to user-targeted advertisements.
While the software has not yet been released to the public, according to news reports and published agreements the software is likely to fulfill Symantec's definition of adware.
So, while worms and Trojans already exist for the mobile platforms, spyware and adware applications are just now gaining a foothold in the mobile device space. Spyware and adware pose a potentially large security issue in the near future, as the companies that produce such applications are less affected by the natural limiting factors.