Mobile threat a 'ticking time bomb'

Mobile botnets are currently non-existent but factors that make such a scenario possible are already in place, says security vendor F-Secure.
Written by Vivian Yeo, Contributor

Mobile 'botnets' have not yet appeared in security laboratories--much less in the wild--but conditions are already ripe for malware attacks to turn cellphones into zombies, according to a security researcher.

Chia Wing Fei, security response manager at F-Secure Security Labs, told ZDNet Asia in an e-mail interview that the security vendor has dealt with viruses, worms, Trojans and spyware targeting the mobile platform, but has not yet encountered a bot or botnet.

The issue of mobile botnets was brought up recently in a report released by Georgia Institute of Technology's Information Security Center. In the report, a Georgia Tech academic predicted that botnets will infiltrate the mobile space next year.

Chia added: "We haven't seen much mobile malware development in the last six months as well, but the Apple iPhone has changed the whole mobile experience and is likely to change the threat level in due time." Apple's iPhone, he explained, runs a "stripped-down version of the Mac OS X" and more vulnerabilities associated with the OS are now surfacing.

Allan Bell, McAfee's marketing director for the Asia-Pacific region, noted that the mobile platform has not been threatened in a big way due to the lack of a common operating system for mobile phones, but as technology convergence and market consolidation takes place the "situation may change".

Denial-of-service threats through mobile phones, however, are less likely to occur than financially-motivated threats that target phones with payment capabilities, Bell said in an e-mail.

F-Secure's Chia noted, however, that conditions are ripe for injection of malware onto cellphones to turn them into bots. "We have more confidential and sensitive information like [e-mail messages] and attachments stored on mobile phones today as compared to the past.

"The mobile threat has become a ticking time bomb," he said.

Make it easy for end-users
Security companies and mobile developers have a role to play in protecting mobile users, say industry observers.

According to Toh Teck Kang, product director, ANTlabs (Advanced Network Technology Laboratories), mobile users should not have to bear the onus of updating or securing their devices.

Security products, he said, should be able to detect malware as well as prevent snooping on user activity on the mobile phone, which would be similar to preventing keylogging on PCs.

ANTlabs is currently working on a version of Securite for use on mobile operating systems, said Toh. Securite, which aims to secure online customer transactions, was designed in part with minimum end user maintenance in mind. The company, said Toh, is currently working on a version of Securite for use on mobile operating systems.

F-Secure's Chia pointed out that mobile OS providers and application vendors "have the biggest role to play". Developers need to ensure security is a consistent part of the development lifecycle, and recognize neglecting security is not a good practice.

"One feature I would like to see in all mobile OS and applications is the ability to push security updates to the mobile phones with ease, and automatically," he said. "If no one has found any vulnerability on a particular mobile OS or application, it doesn't mean that it is fully secure and doesn't need to be updated."

On the other hand, mobile operators need to be proactive in filtering possible threats or scams at the gateway level, as well as educate customers about such threats and recommend appropriate solutions, said Chia. Mobile users should exercise caution when installing applications on their phones and opening links.

Editorial standards