By the time you read this, there could very well be 200 mobile viruses in the wild waiting to latch onto your company's
devices and wreak some major havoc.
As of yesterday, the number of mobile-specific viruses teetered at 199 -- and that figure is low, according to some -- but mobile virus expert and F-Secure Chief Research Officer Mikko Hypponen said it could reach 200 or more in a matter of days, minutes or seconds.
"We're still at the very beginning," cautioned Hypponen, who is essentially the antivirus guru at F-Secure, a security software vendor based in Helsinki, Finland.
Hypponen compared the mobile virus arena today to that of viruses in the PC world in the 1980s. He said that right now mobile viruses are where PC viruses were in 1988. Comparatively, there are now roughly 165,000 identified PC-based viruses.
"If we [had] done some things differently … who knows what would've happened," he said, noting that mobile viruses could reach the prevalence of PC viruses within a few years.
But Jack Gold, of J.Gold Associates, a research and advisory firm based in Northborough, Mass., said the threat of mobile viruses isn't necessarily based on the number of them in the wild. Like a bad strain of the flu, the severity of a mobile virus depends on how vicious it is and how fast it can spread.
"The issue, though, is not how many, it's how mobile are they," Gold said. "To date, it's been very difficult to spread viruses to mobile devices."
But that is all about to change.
Mobile viruses attack smartphones because they have features similar to those of PCs. Users can download from the Web, open e-mails, and access other files that may carry a virus. Certain viruses can spread to a contact list stored in a phone, unbeknownst to the user. As the number of smartphones in use continues to grow and more applications such as mobile e-mail and the Web are made available, mobile viruses could become a problem.
"All of this starts to look more like a PC environment," Gold said.
Craig Mathias, principal at Ashland, Mass.-based Farpoint Group, said the obvious growth in the number of mobile viruses is enough to give mobile managers pause.
"We can assume this is going to become a bigger problem over time," he said. "It's unfortunate, but true. And the more intelligence you put into the local device, the greater the risk for someone to get malicious code onto it."
Mobile viruses have the potential to produce effects similar to those of their PC counterparts. Some can make devices unusable or unable to boot up and can wipe out their memory. Bluetooth viruses can spread from device to device within a short range, and other viruses, considered nuisances by many experts, can turn icons into skulls or manipulate photographs and images.
What's most frightening about mobile devices, according to Vincent Weafer, director of Symantec's security response team, is that once a device is infected, the virus can spread globally within seconds. Some can hop among mobile platforms, such as Symbian, Windows Mobile, and J2ME. There have been no reports of viruses infecting a device running BlackBerry, Hypponen said.
Although most of the viruses in the mobile wild are considered nuisances, Weafer said, getting rid of them or cleaning them off a smartphone is still a manual process that can consume a lot of time and money.
But there are ways for enterprises to secure their deployed base of devices in order to ensure that viruses don't infect smartphones at the rate that was seen with PCs.
F-Secure, for example, offers several device-based mobile antivirus products. Symantec, another major player in the antivirus space, also has mobile-ready solutions to thwart attacks.
"It's still a tiny drop in the ocean, but it's growing at an exponential rate," Weafer said, adding that between 2004 and 2005 there was a 230% increase in the number of variants of mobile threats.
According to Paul Miller, a mobile and wireless director with Symantec, roughly 80% of companies are using smartphones in some capacity. Of those, three out of four are not protecting the devices and only one in 10 has a comprehensive device-based solution.
One hurdle enterprises face when trying to secure devices, Miller said, is the growth of "prosumers," -- employees who purchase their own devices to use for business without first notifying mobile managers or others in the company.
Daniel Taylor, managing director of the Mobile Enterprise Alliance, agreed.
"One of the big issues is that for mobile devices, especially user-provisioned mobile devices, security is one of the last things users worry about," he said. And after purchasing the device, users often want the IT department to sync it into the network with little to no protection.
To avoid such trouble, Taylor recommends that enterprises start setting device policies and roll out a form of network access control that looks into devices and denies them network access if they are not up to date with the latest antivirus software. Such a solution can quarantine devices and push out the latest antivirus updates or move them to a DMZ where they can't infect the network.
"Many companies do not have these policies in place for smartphones," Taylor said. "The mobile antivirus policy has to be the same as that of a laptop or a PC."
Enforcing mobile policies can eliminate most of the risk involved when employees start using purchased devices on the network, Taylor said, but a clear policy is essential.
"The choice for the enterprises is either to say, 'We don't support this device,' or to deploy a mobile management platform that can handle most devices," he said. "If you're an IT manager, do you want to be the one telling the employee who just went out and spent $500 on a device that you don't support it?"
Avi Greengart, principal analyst with Current Analysis, said, however, that some of the talk of smartphone viruses is "fear mongering" by PC antivirus software makers looking to expand their market into mobile. Greengart said that what was of most concern about IT having little or no knowledge of users' devices is the threat of loss or theft of data. Worrying about viruses should be secondary, he said.
"Far more dangerous -- at least in the short term -- are more basic security problems with mobile devices," Greengart said. "A smartphone is easily lost or stolen and often contains proprietary e-mail and contact information. Data loss of this kind is publicized mostly when it happens to Paris Hilton, but it can be just as damaging to a corporation."
Still, Greengart said, enterprises do need device-level protection to cover not only loss and theft but viruses as well, just in case.
"Since many mobile devices are purchased by individual users, not the IT department, most corporations don't even know how big their problem is and have no way of limiting the damage," he said. "Longer term, as mobile devices are built on more robust operating systems and enjoy constant connectivity, they can become attractive targets for virus writers."
Mobile management platforms and antivirus updates could be just the thing to keep mobile viruses in check, but – according to Mikko Hypponen -- tackling mobile viruses can often be a struggle because they can come in through four separate vectors: Bluetooth, Multimedia Messaging Service, Web downloads, and through the swapping of memory cards. So far, he said, there are no known viruses that propagated through mobile e-mail.
"Surprisingly, we haven't yet seen a single mobile phone virus which has actually tried to spread through e-mail," he said.
Hypponen said that although smartphones are the sole target of mobile virus attacks, not all are at risk just yet. Most mobile viruses, he said, attack devices running the Symbian operating system because Symbian holds about 70% of the world market. He said he knows of three viruses that have attacked Windows Mobile but no instance of a Linux or BlackBerry-based machine falling victim.
Though there have been no major, widespread outbreaks, now is the time for enterprises to be proactive, Jack Gold said. He suggested that sometime over the next six to 12 months, a major outbreak could happen, and enterprises need to be ready.
"Don't wait until you get bit on the butt," he said. "Do it beforehand. You want to be protected now."
Gold said most PC antivirus vendors offer similar products for smartphones, and since most companies have antivirus running on PCs, adding it into the mobile arena shouldn't be too difficult or costly.
Hypponen warned that although smartphone viruses are still at the baby stage, it's never too soon to deploy some kind of protection.
"We've just seen the beginning," he said. "Things could easily get much, much worse. And if that happens, it's going to be too late for IT to do anything about it."