Though mobile malware has been circulating for more than three years, Mikko Hypponen has seen no evidence of phones being targeted for the type of profit-motivated attacks PC users have suffered at the hands of botnets, rootkits and self-spreading worms. But believes more sophisticated mobile phone attacks are coming, with the bad guys emboldened by the current craze over Apple's iPhone.
As director of antivirus research for Helsinki-based F-Secure Corp., Hypponen has been a leading voice on the dangers of mobile malware, repeatedly warning IT professionals to prepare for attacks where phone infections could be passed to company networks. He repeated those warnings Thursday at the Usenix Security Symposium in Boston, predicting that attackers will be inspired by the iPhone's popularity.
"The iPhone has really put the concept of smart phones on the table, especially in the United States," he said in an interview with SearchSecurity.com. "The amount of hype around the iPhone is pretty unbelievable, so it's a given that people will continue to play around with it and find ways around the security features of the phone. It's quite likely that we'll see iPhone malware sooner or later."
The security of the iPhone has been the topic of much debate in the information security community, and late last month a group of security researchers unveiled a couple of simple ways to take complete control of the iPhone. The results were the first real success researchers have had in trying to find ways to exploit the new device, which lacks many of the common user interfaces and inputs that hackers rely on for successful attacks.
Hypponen is among the legions of experts picking the phone apart in search of weaknesses. One of his more encouraging observations is that it'll probably be very difficult, if not impossible, to create iPhone malware that could be spread to other smart phones.
"It's probably unlikely because iPhone is such a closed device that runs its own operating system," he said. "We've seen a little over 370 different examples of malware running on smart phone platforms. Almost all of them target Symbian-based phones, because Symbian is by far the market leader, with over half the smart phones in the world running that operating system. Bluetooth is the most common vector of how malware jumps from one device to the other."
But while iPhone has Bluetooth, he said, the Bluetooth chip can't be used on the device for file transmissions. If there were self-spreading malware on iPhones, it would probably be spread by email, Hypponen said.
Even if one takes the iPhone out of the equation, he said it's only a matter of time before attackers launch more sophisticated attacks against smart phones in general. While there are currently no signs of botnets using mobile phones, for example, he said the threat might grow in the future because mobile phone processing power and mobile network connection speeds are growing. "I could see mobile phone botnets being used to send email spam or text messaging spam to other phones," he said.
Hypponen noted that there are about 3 billion mobile phones in circulation around the world, with tens of thousands of mobile malware infections reported thus far. The Cabir and Commwarrior malware is now afflicting phones in more than 30 countries.
"Cabir was the first, appearing in June 2004, and it's still spreading," he said.
In recent interviews, when asked how mobile malware could spread to desktops and corporate networks, he pointed to malware called SymbOS.Cardtrap as an example. It installs Windows malware on the infected phone's memory card and tries to fool users into investigating the phone problems with a PC and a memory card reader, making it possible for Windows malware to spread. Mobile devices provide a wider variety of communication methods than traditional PCs, and this could mean new ways to spread malware, he said.
To guard against mobile malware, he has recommended IT professionals use common sense and install security software both for their PCs as well as to their smart phones. He also warns against accepting or installing software from untrusted sources, or swapping memory cards between phones."