Mobile Device Threats on The Way

The lack of a catastrophic malware attack or data theft on mobile devices doesn’t mean today’s tools are safe. In fact, it’s likely just the calm before the storm, experts say.

That’s not a comforting thought to industry-watchers, considering how widespread mobile platforms have become among consumers and businesses. Worldwide mobile phone sales topped 1.15 billion last year, according to research firm IDC, while Gartner analysts have reported that smartphones are expected to outsell laptops this year.

IDC also forecasts an estimated 304 million smartphones in use by 2011 — trends that some say may be lulling IT buyers and the public into false sense of security.

“The platforms offer limited or no inherent security features or security features tailored to a specific activity, such as e-mail, even though they are evolving into general-purpose mobile computing platforms,” Mark Komisky, CEO of security vendor Bluefire, told

Two years ago, security firm F-Secure detected a worm that could move from a Symbian phone to a PC. The start of 2008 brought another Symbian phone threat: a worm that disguised itself as multimedia file (MMS) to deceive users into unknowingly installing its malicious software.

That virus, detected by security vendor Fortinet and labeled SymbOS/Beselo.A!worm, targeted several models of Symbian S60-enabled Nokia devices.

[cob:Pull_Quote]As one security expert noted, those types of attacks could be merely the beginning, as hackers and malcontents turn their attention to the growing number of mobile devices in the wild — many now housing personal and corporate data.

“As smartphones and other pocket PCs grow in popularity, hackers and cyber-criminals will naturally shift their attention to compromising them,” said Khoi Nguyen, group product manager in Symantec’s Mobile Security unit. “This becomes a problem when mobile device users access and store sensitive, confidential information on their phones.”

IT lax on smartphone security

Perhaps more disconcertingly, most businesses thus far have failed to think seriously about mobile device security — a fact that’s becoming a major liability, analysts said.

“These devices are increasingly storing financial and confidential information,” Many consumers are also using their smartphones for e-mail, mobile banking, and file downloads,” said Symantec’s Nguyen. “Cyber-criminals go where the money is. In the past, hackers were motivated by fame, trying to be noticed for their malware. As a result, these criminals continually look for ways to exploit weaknesses for financial gain.”

Industry observers said that few organizations track device use or network access, and rarely do IT staffs have even a process in place for contending with that most underappreciated of security threats: when devices go missing.

“The issue isn’t about viruses hopping around, as a device is a confined, low-risk environment,” Jack Gold, principal analyst at J.Gold Associates, told “The bigger issue is the loss or theft of data and the exposure that presents to companies. Very few have a grip on protecting the increasing amounts of data being housed on mobile devices.”

Continued from Page 1.

A recent study found 79 percent of mobile device users don’t use any sort of antivirus, data-protection or other security software on devices. An additional 15 percent said they were unsure whether their device had security software at all.

That’s precisely why enterprises should begin taking steps to treat today’s mobile devices as part of the overall computing environment, Gold said.

“These now have the power of the PC and should be treated like a corporate asset,” he said. “They should be included in the overall IT security plan.

“You have to find out what’s out there, the data that could be exposed,” he added. “Then at least have a way to lock them down or kill them remotely if they’re lost.”

The business also should have a comprehensive “safety net,” Komisky said — one net that provides protection for mobile messaging, Web, applications, device content and mobile privacy.

Another key component of implementing security involves educating users about safety practices and policies. That means getting users to treat mobile data messages and e-mail attachments with caution, Nyguen said.

“Users must develop the same critical thinking when using their mobile phones that has become second nature on their PCs,” he said. “As these viruses propagate, it will be increasingly important for users to use a discerning eye when receiving strange IM, e-mail, and other requests.”

He also said IT needs to do a better job educating employees about wireless network security weaknesses.

“Users need to develop an awareness when using a device’s Internet, Bluetooth or Wi-Fi functionality and bring the same scrutiny for their mobile devices that they have cultivated for their PCs,” he added.

According to Bluefire’s Komisky, most mobile device incidents in past years have targeted messaging and spread using Bluetooth.

The need for more advanced security becomes even more pressing as the mobile device capabilities continue to ramp, and as they become even more critical to businesses.

Komisky said he believes that in the near future, practically all handsets will have become fully mobile computers — requiring on-device security when used by enterprises.

“In the next five years, mobile security will have migrated to include virtually all mass-market devices as well, just like we have antivirus and firewall security software on virtually all our notebook and desktop computers today,” he said.

Komisky added that future mobile security threats are likely to come from new directions, thanks to the rise of mobile Web usage and increasing amounts of online content for handhelds.

“With more mobile multimedia downloads and applications like games, the shift [in attacks] is toward taking advantage of device functionality to remotely launch applications, redirect messages and steal information,” Komisky said.

“The storm is just about to happen.”

News Around the Web