Mobile phone malware - viruses, worms and Trojan programs created to attack the devices - are rare, but starting to appear in Japan and Europe, where 3G technology is more popular, according to Corey Nachreiner, a network security analyst at vendor WatchGuard Technologies.
By the time such malware hits domestic users' handsets the programs are expected to blend into more complex threats. Some examples recently hitting overseas users include:
- The Doomboot trojan perpetrates denial-of-service attacks by billing itself as "Warez" - premium games that have been compromised to allow free use, says Seth Fogie, VP at mobile security vendor Airscanner. Devices work until they are rebooted. Doomboot enters via Bluetooth's discovery mode, the Web and e-mail.
- Cardtrap spreads to phone memory cards - which can be inserted in computers to sync up a music download, picture or ringtone - where it can infect again, Fogie says.
- Redbrowser is a Russian wireless application protocol browser that offers itself to users who don't have one. It offers to send free SMS messages but actually charges the user US$5 to $6 per message.
- Crossover detects and infects devices via an ActiveSync connection for Windows PCs. It can spread from phones to computers. Crossover has not been detected in public yet; in concept it fills up phone memory with useless data and exhausts phone resources, Fogie says.
More generally, buffer overflow vulnerabilities exist in the Windows Mobile software, according to Fogie, in cases where an application has not been programmed to properly check the format of incoming data. Such attacks will become more prevalent as the platform grows, Fogie says.
Things you can do
- Educate users that mobile phones are vulnerable and they should not install anything on them unless it's from an authorised source.
- Secure and control phones. Use mobile versions of firewalls and antivirus protection. (Examples come from F-Secure, which offers both, and TrendMicro, which offers an antivirus product.)
- Secure phone ports. Many phones have USB ports. Corey Nachreiner of WatchGuard Technologies advises getting USB control software, which allows an administrator to regulate which devices (including mobile phones) are allowed on a computer's USB ports.
- Secure Bluetooth. If the user doesn't need Bluetooth, disable it. If the service is needed, the end user shouldn't accept connections from unknown parties.
- Set policies. CSOs or CISOs can enforce policies around downloading or opening files from unauthorized sources. Don't open or accept any unexpected attachments; verify a known party's intent to send one.