Mobile-botnet threat 'a ticking time bomb'

An F-Secure security researcher says mobile-phone botnets do not currently exist but conditions are ripe for their creation

Mobile botnets have not yet appeared in security laboratories or the wild but conditions are already ripe for malware attacks to turn mobile phones into zombies, according to a security researcher.

Chia Wing Fei, security response manager at F-Secure Security Labs, told ZDNet Asia in an email interview that the security vendor has dealt with viruses, worms, Trojans and spyware targeting the mobile platform, but has not yet encountered a bot or botnet.

The issue of mobile botnets was brought up recently in a report released by the Georgia Institute of Technology's Information Security Center. In the report, a Georgia Tech academic predicted that botnets will infiltrate the mobile space next year.

Chia added: "We haven't seen much mobile-malware development in the last six months as well, but the Apple iPhone has changed the whole mobile experience and is likely to change the threat level in due time." Apple's iPhone, he explained, runs a "stripped-down version of the Mac OS X" and more vulnerabilities associated with the OS are now surfacing.

Allan Bell, McAfee's marketing director for the Asia-Pacific region, noted that the mobile platform has not been seriously threatened due to the lack of a common operating system for mobile phones but, as technology convergence and market consolidation occur, the "situation may change".

Denial-of-service threats through mobile phones, however, are less likely to occur than financially motivated threats that target phones with payment capabilities, Bell said in an email.

F-Secure's Chia noted, however, that conditions are ripe for the injection of malware onto mobile phones to turn them into bots. "We have more confidential and sensitive information like [email messages] and attachments stored on mobile phones today, compared to the past. The mobile threat has become a ticking time bomb," he said.

Make it easy for end users
Security companies and mobile developers have a role to play in protecting mobile users, industry observers have said.

According to Toh Teck Kang, product director at ANTlabs, the onus should not be on mobile users to update or secure their devices.

Mobile-phone security products, he said, should be able to detect malware as well as prevent snooping on user activity, in a way that would be similar to preventing keylogging on PCs.

ANTlabs is currently working on a version of Securite for use on mobile operating systems, said Toh. Securite, which aims to secure online customer transactions, was partly designed with minimum end-user maintenance in mind. F-Secure's Chia pointed out that mobile OS providers and application vendors "have the biggest role to play". Developers need to ensure security is a consistent part of the development life cycle, and recognise that neglecting security is not a good practice.

"One feature I would like to see in all mobile operating systems and applications is the ability to push security updates to the mobile phones with ease, and automatically," he said. "If no-one has found any vulnerability on a particular mobile OS or application, it doesn't mean that it is fully secure and doesn't need to be updated."

On the other hand, mobile operators need to be proactive in filtering possible threats or scams at the gateway level, as well as educating customers about such threats and recommending appropriate solutions, said Chia. Mobile users should exercise caution when installing applications on their phones and opening links.

Show Comments