Mobile carriers admit malware attacks

Mobile security is a real issue, even for phones, says Sophos survey.

For the last three years, security experts have warned that mobile devices would someday be attacked as massively as the PC. Those predictions are starting to come true according to a recent survey of more than 200 mobile operators, though two security experts said the overall threat remains low.

Eighty-three percent of mobile operators surveyed by Informa Telecoms & Media on behalf of McAfee Inc. between December and January acknowledged they've been hit by mobile device infections. Respondents, who answered questions on a variety of mobile security issues in an anonymous online survey, also acknowledged that:

  • The number of mobile security incidents in 2006 was more than five times as high as in 2005.
  • The number of mobile operators in Europe and APAC reporting incidents affecting more than 1,000 devices more than doubled in 2006.
  • All operators spent $200,000 or more on mobile security in 2006 compared to 2005.
  • The number of mobile operators estimating that the cost of dealing with mobile threats is more than 1,000 hours increased by 700%.

"What surprised me about the response was that 83% of carriers acknowledged they had experienced mobile malware," said Jan Volzke, head of marketing for mobile security at McAfee. "We had earlier estimated internally that the number would only be half of that."

He said carriers are feeling a growing sense of urgency about addressing the problem, since an increasing amount of data is being accessed on mobile devices. Because of that, he said, the carriers are now looking at security as a business risk in need of investments instead of a way to make more money.

Respondents said customer satisfaction has been a casualty of the increased infections. Nearly 30% said subscriber satisfaction had suffered more than any other factor, including revenue. The second-biggest side effect has been the quality of network performance.

Nearly 80% described it as a public relations problem, but less than a third of those who consider application and device-level protection important have actually deployed defenses at these levels. But respondents suggested this is about to change: Eighty-five percent of respondents said they'll increase their mobile security budgets to tackle issues including network intrusion, mobile viruses, denial-of-service attacks, spam and mobile phishing.

Security vendors have begun trying to capitalize on that increase in spending. McAfee recently released its Mobile Security Risk Management product, while Symantec Corp. recently announced the availability of its Mobile AntiVirus 4.0 for Windows Mobile and Sophos released its Mobile Security product.

While mobile security is a growing issue, Sophos senior technology consultant Graham Cluley said IT professionals need to keep the overall threat landscape in perspective. For now, that landscape is nothing to panic about, he said.

"We haven't polled the mobile phone operators ourselves, so we can't confirm McAfee's findings," Cluley said in an email exchange. "However, we do know that mobile phone attacks are much, much rarer than malware attacks against regular Windows desktops and laptops."

While there has been concern in the past about security vendors hyping the mobile threat to boost sales, Cluley said there's no doubt more companies are looking to protect their mobile devices as they become more integrated into their business. Therefore, security vendors are right to start focusing on mobile defenses.

But, he added, "It's important to keep the threat in perspective. There are over 214,000 different viruses for PCs, but only around 200 examples of malware for PDAs and mobile phones. None of those can be considered widespread."

Mikko Hypponen, director of antivirus research for Helsinki-based F-Secure Corp., agreed.

"We've seen a steady increase in the amount of reports mobile virus infections from the field," he said in an email exchange. "However, the situation is still far from being as bad as it is on the PC side."

Read more on Network security management