Mobile malware’s mythical status is coming to an end and organisations now need to take this attack vector seriously. NME looks at the latest in the world of smartphone security.
The threat of the ‘mobile virus' has been around for some time now, pushed by security companies eager to sell another product range to companies and maligned in the press as a nonexistent issue designed to spread fear.
But this may be changing now, as even smartphone vendors acknowledge the risk of malware targeted at mobile devices.
"We are starting to see more viruses for mobile devices; as they become more business-focused, there will be more attention from hackers," says Joe Devassy, head of Nokia's enterprise solutions in the Middle and Near East. "Right now mobile phones are personal devices - what data can you get from that? But as soon as it becomes a corporate tool, you'll start to see value in targeting the device."
This shift has come about thanks to two key trends. First, enterprises around the world - and in increasing numbers in the Middle East - are starting to load more business-critical functions onto mobile devices. This has started with email, but is now expanding to include links to core applications, such as ERP and CRM systems.
Second, the monetisation of malware has put the profit motive at the top of the agenda for malware writers - and made the newly data-rich mobile devices a much more interesting target.
While much of the malware currently targeting smartphones and PDAs is still in the ‘mischief' phase, security vendors say the shift to malicious attacks is not that far off - and may not be noticed when it comes.
"As most mobile devices do not have any form of antivirus it is hard to determine exactly how widespread the distribution of malware variants actually is," says Ivor Rankin, senior consultant for security at Symantec. "Additionally, on the internet it is possible to deploy honey nets to detect the propagation of traditional PC malware threats, but the mobile device and GSM arena does not lend itself to such widespread monitoring."
It is this shift which is potentially most worrying - as new malware is designed not to give any sign of its presence, it could potentially sit unnoticed on a device for considerable time.
One of the interesting aspects of smartphone security is that it is not Windows Mobile devices that are the main targets. Instead, Symbian S60 - as used by Nokia and other vendors - has racked up the most live malware of any platform.
The mitigating factor in mobile malware remains the simple fact that as of now, there is still an exponentially greater value in targeting PCs and laptops than mobile devices. But as businesses look at company-wide deployments of smartphones it is probably worthwhile to develop a policy regarding security issues.
But it should be borne in mind that a much greater risk for mobile devices is that of loss or theft: "The chance of losing a mobile device is about three times the chance of losing a laptop," says Devassy.
"One needs to realise that loss or theft of mobile devices that contain company sensitive probably are major contributing factor to ‘information leakage' today," says Symantec's Rankin. "The fact that these devices often contain both personal and company information seems to escape the attention of many, but certainly not to those that have, shall we say, facilitated the supposed accidental loss.
"For many years now executives have been warned to be wary of corporate espionage and to safeguard laptops whilst away on business travels. However very few companies - if any - issue the same advice when dealing with mobile devices."