Mainstream media will have you believe that your smartphone is horribly at risk from 'mobile malware' (i.e. applications that spread themselves to other devices and do horrid and unspeakable things to yours). The trouble is that almost every story, every press release originates from a security company with a large vested interest in people buying their software. Here's the truth about mobile malware.
The number one thing to emphasise here is that users shouldn't be worried at all. In fact, most of the time they shouldn't even be told about most so called hacks and malware, since most people will NEVER come into contact with anything suspect and the only result of careless reporting will be the spread of FUD (Fear, Uncertainty and Doubt), which will harm the whole smartphone scene.
Despite the scare stories, the world of malware on current handheld devices is miniscule compared to that on Windows. Mobile operating systems like Symbian OS and Windows Mobile are perfectly secure in terms of not letting 'nasties' in while online, so there's no need for a firewall, an otherwise essential utility on the desktop. OS X, as used on the iPhone, is a lot less secure at the moment because every process, however suspect, can run will full system privileges. But you can bet your last dollar that by the time Steve Jobs releases an iPhone firmware with proper, legal third party app support, there will be proper protections in place. Apple aren't stupid!
All known malware applications for mobile devices travel as applications in their own right, usually arriving as an unexpected Bluetooth beamed item or MMS, sent from an 'infected' device. On any smartphone or handheld the user can simply refuse the incoming transmission or not install whatever payload application is received.
Another way for a user to unwittingly receive malware is when installing a so-called 'trojan', usually an application that they've seen online on a 'warez' site (hacked copies of commercial applications) and one that also includes malicious content. Because they wanted the 'for free' application they're likely to install this and it's then that their troubles start. Conversely though, if a user stays away from illegal/warez software then they can avoid ever being tricked altogether.
Assuming that a user has been tricked into installing something malicious (and trust me, encountering mobile malware should be extremely rare) and has accepted the usual 'Are you sure you want to install' questions, what can such a program get up to?
In the case of a communicator or smartphone based on Symbian OS 9.x, e.g. the Nokia E61, N95, etc., not a lot. All operating system files are fully protected against tampering (Symbian call this 'Platform Security', part of Symbian OS 9) and even routine functions like an untrusted application sending items by Bluetooth or trying to go online are each prefaced by a warning message, so there's no possibility of a 'silent infection'. In theory at least, Symbian OS 9-based smartphones are invulnerable and there's no need for any concern or extra security software.
Older S60 smartphones are more vulnerable, allowing silent infections and malware access to Bluetooth and the Internet, but they also make just as much fuss when installing such a program. The reason so many S60 'viruses' have been reported is only because of the huge number of units sold, the proportion infected is still lower than 0.01%.
Windows Mobile devices have a limited amount of security built-in but aren't really secure. When a user tries to run a program it asks them for permission, but once this is given the program is pretty much given free reign to do whatsoever it likes, including changing the registry to allow future malware to install silently. Therefore users have to be even more careful than with old S60 devices about which software they install. In addition, two vulnerabilities have been discovered in Windows Mobile Internet Explorer and the Pictures and Video module: viewing a malicious web page or image file could cause the device to fail, causing potential denial-of-service attacks.
Users can rest easy if they own a Palm OS or Linux-based device, or an older UIQ smartphone, as these aren't attractive platforms for malware-writers and users are more likely to win the lottery than encounter anything malicious, especially if they stick to trusted programs. The iPhone's OS X will be an attractive target, of course, but only Apple know what they're planning in terms of security measures and it's too early to pronounce a verdict on this platform.
Luckily, because the operating system of every handheld or smartphone is in flash memory (as opposed to an easily-writeable hard disk), even if a user is careless enough to get infected then getting rid of the malware is as simple as doing a factory reset and restoring their last good backup or resyncing over their PIM data.
The bottom line? Users should be warned to only download and install third party programs from 100% trusted sources and to avoid warez like the plague. Bluetooth should be left as 'Hidden' once pairings with accessories have been set up.
And users shouldn't accept new applications or even images by infrared, Bluetooth or MMS unless they are explicitly expecting them.
Devin Moore
Tue Oct 30 10:25am