CA and F-Secure squabble over mobile threats

A spat has erupted between the two security services companies following CA's accusation that antivirus vendor F-Secure was overplaying the threat of mobile malware

Software and services company CA has accused F-Secure of hyping security threats to smartphones after the Finnish antivirus specialist launched a mobile security service last week.

CA released a statement on Monday claiming F-Secure has created a market for its mobile anti-malware service through a sustained campaign of hype.

"F-Secure is saying there's a huge risk of malcode spreading, but they've built this up," said Simon Perry, European vice president of security for CA. "If you look at their behaviour, they've consistently pushed this message. But it's a theoretical, not a real threat," he added.

F-Secure signed a deal with Orange last week to provide security for the mobile operator's smart devices claiming the threat of mobile malware would increase in the near future.

Matias Impivaara, director of mobile security for F-Secure, denied that the company had engaged in hype.

"It's amusing — the idea that I could sell something to an operator that they don't need," Impivaara told ZDNet UK. "Orange had a formal procurement process, where they put the contract out to tender based on their own analysis. It's a process that doesn't happen by accident."

F-Secure's marketing machine is not so big that it could change the opinion of the world, added Impivaara. "It's flattering for me as a salesperson — but I'm just not that good," he said.

CA insists that the threat to smartphone users was minimal and that Orange customers were better off not spending their money on mobile security. "Dig below the skin and the message stops sounding pithy and starts smelling rather rotten. At the core of the rot is the mostly undeniable fact that there is no threat to protect against," said Perry.

Confronted by CA's scepticism, F-Secure accepted there were few examples of smartphone malcode at the moment, but said that cases had been seen in the wild.

"It's not a global epidemic, but there are real people who have got it. There have been several tens of different viruses — this is early days for mobile virus writers," said Impivaara.

CA claims that criminals do not have an economic incentive to develop malcode, and that the risk of malware spreading around smartphones was minimal because of a lack of interoperability between platforms and phone models. Network services don't allow for the fast spreading of code from phone to phone, and user interaction is required for any viruses to spread, the company added.

CA claims F-Secure has created an atmosphere of fear, uncertainty and doubt to sell its product — undermining the relationship of trust that has been established between industry and vendors.

"While F-Secure's bankers and owners may be pleased with the cash flowing into their coffers from the deal, every security professional should be appalled by the perception this creates of our market," said Perry. "Industry and vendors are now more consultative and honest about risks, not just beating something up to sell it. F-Secure has done the industry a disservice."

F-Secure's Impivaara responded by saying that both mobile operators and clients had approached F-Secure, and insisted it had not hyped the threats.

"It could be bad for the industry if we were trying to scare people, but people call us with real problems and real viruses. We have created a solution to these threats for our customers. If we have mobile operators coming to us, we would be quite stupid to turn them down," he said.

"I have difficulty understanding how this can be bad for [the antivirus] business. This is not a mass problem for all consumers, but our solution is available to those who need it, and there are people who need it today," Impivaara added.