Tech news articles are rife with tales of mobile device viruses and other threats, and antivirus companies are rushing to market protective software. Is all the hoopla justified? Do you need to worry about a virus destroying your mobile phone or stealing your data?

As with so many aspects of technology, the answers are No and Yes. Many mobile phone viruses are now "proof of concept," meaning their makers created them, not with malicious intent, but rather to prove they were possible. Nevertheless, some mobile phone viruses have escaped into the wild, and experts warn that mobile phones, particularly the new generation of smartphones, may increasingly become prime targets.

Where, When & How?

To launch any successful, malicious attack, the invader must have a method of delivery. Voice communications that do not carry data are impervious to attack. However, now that the same radio waves carrying your mobile phone calls also can carry data, such as multimedia and email messages, the floodgates have theoretically been opened.

Additionally, thanks to the complexity and vulnerability of today’s smartphones, which have PC-like features including the ability to accept Internet downloads and run programs, mobile phones have become more viable marks. The first mobile phone threat, Cabir, emerged as a proof-of-concept release in July 2004. Virus makers posted the code on the Internet in late 2004, and it popped up in the wild in February 2005 on two Nokia 6600s at a California mobile phone store.

Initially compatible only with the Series 60 Symbian OS used by Nokia, Sony Ericsson, and others, Cabir is now capable of attacking phones running the Windows Mobile and NTT DocoMo OSes, as well. After installation, the viral worm drains your phone’s batteries and sends itself to vulnerable phones in range. Some variants also delete files from your phone and make expensive phone calls.

Since the release of Cabir, antivirus software companies have identified more than two dozen types of malware (malicious, destructive programs) that target mobile devices. Many of these are Trojan horses (programs that appear to be benign but have malicious intent). Threats include the deadly Skulls.B Trojan horse, which disables every function on your cell phone other than the ability to dial out.

Where’s The Threat?

So why aren’t everyone’s mobile phones under attack? Currently, fewer than 10% of mobile phones in use in the United States are smartphones, so infections are equally rare. Even if you are using a smartphone, you must accept delivery of malicious files or purposefully disable the feature that prompts you to accept or decline an incoming file.

Nevertheless, if you access the Internet or receive MMS (Multimedia Messaging Service) or email messages containing attachments, you could unwittingly accept malicious files. Already some infected MMS messages come with text that suggests they are from a trusted, official source.

Additionally, two data exchange technologies, Bluetooth and IrDA (Infrared Data Association) enable mobile phones to exchange data automatically. IrDA is of little concern because it only works in direct line of site and at a range of a few feet. Bluetooth works at distances of approximately 30 feet and is not impeded by walls, jackets, or briefcase covers. If you leave your Bluetooth device set so other devices can discover it, you could easily pick up a virus from a nearby phone at a coffee shop or other public location. (For more on establishing secure Bluetooth settings, see “Bluetooth” on page 40.)

Currently, no mobile phone OSes incorporate built-in firewalls, so once inside, a malicious mobile phone invader could wreak serious havoc. Researchers foresee PC-like worms that will generate messages based on information in your phone and then send themselves to everyone on your contact list. Another concern, already reported in Europe and Japan, is the takeover of mobile phones for use as robots in attacks on other phones or Internet servers.

Time For Protection?

Fortunately, if you have a traditional mobile phone, you have little to worry about. “These guys attack the dominant OSes that are open--on which you can install applications--as well as the ones that are Internet connected,” says Todd Thiemann, Director of Device Security and Marketing at Trend Micro (www.trendmicro.com). Consequently, if you have a smartphone (especially one that is Symbian based) with sensitive data on it, installing protection is the most cautious approach.

Trend Micro currently offers free antivirus products for Symbian and Windows Mobile platforms. Additionally, companies such as F-Secure (www.f-secure.com), Kaspersky Lab (www.kaspersky.com), and Symantec (www.symantec.com) offer antivirus solutions for certain Symbian phones.

Each of these products works like traditional antivirus software, scanning incoming and existing files for recognized patterns. Antivirus software installs on your mobile phone just like other mobile applications; you can usually browse to the company’s Web site and download the software directly. In most cases you can also download the application to your PC and then sync with your mobile device to upload the software. Most phones will initiate the installation process after a download completes or as soon as you open the file. (Refer to your phone’s users manual for specific instructions.)

An Uncertain Future

To date, malware distribution has been so sparse that the chance of a smartphone picking anything up is remote, even for careless users. Nevertheless, the situation will likely change as smartphone sales skyrocket. (Sales were up 82% in Q1 2005 over Q1 2004, according to Canalys.com [www.canalys.com].) “The threat is driven by the rapid growth in smartphone sales and by the OS monoculture,” says Thiemann. “Virus writers go after the numbers--the platforms that are most prevalent in the marketplace. With only the Symbian OS [approximately 80% market share] and Windows Mobile [approximately 10% market share and growing] to focus on, virus writers can do a lot of damage with little effort.”

by Jennifer Farewell

View the graphics that accompany this article. (NOTE: These pages are PDF (Portable Document Format) files. You will need Adobe Acrobat to view these pages. Download Adobe Acrobat Reader)

Protect Thyself Given the high level of user involvement required for infection, your basic line of defense is to establish meaningful safeguards. Set Bluetooth and IrDA (Infrared Data Association) to Off in public places and don’t enable features that permit automatic downloads. Do not accept or download any file, not even a ring tone, unless you can verify the source. Be wary of MMS (Multimedia Messaging Service) and email messages containing attachments, although text messages are safe. Additionally, take a cautious approach to Internet usage. European and Japanese users have reported instances of mobile phone phishing (where crooks trick users into revealing confidential information by directing them to a fake, but authentic-looking, Web site). Be resolute. Many users whose smartphones became infected with Skulls reported that they repeatedly answered No to the prompt regarding an incoming message but finally clicked Yes when the prompt would not go away. The payoff for their decision was a worthless phone.