A new Trojan horse disguised as a video game that appeared this week is unlikely to spread or to cause much damage, but thats not its real threat. Instead, the MetalGear.A Trojan should be considered a “proof of concept” for what will eventually bring a series of attacks that could cause serious damage to smart phones.
This weeks attack, like other recent attacks against smart phones, was aimed at devices using the Symbian operating system. The Trojan is designed to disable some forms of anti-virus protection, and to install a virus that spreads using Bluetooth. Similar attacks earlier this year were unsuccessful.
“The threat of a Bluetooth-based attack is orders of magnitudes lower than a PC-based attack,” said Charles Golvin, principal analyst at Forrester Research. “Its proximity-based.”
He said this means that an infected phone needs to be within a few feet from its target before it could infect another phone, and even then, the phones user would need to have Bluetooth turned on and would have to agree to install the software.
“Were certainly investigating this with Nokia and our anti-virus providers,” said Jerry Panagrossi, vice president of U.S. operations at Symbian. Panagrossi said the new attack is a variation of the Skulls Trojan, and that he doesnt expect it to have much impact.
One reason he thinks the spread will be limited is because Symbian has adopted a program of application signing for commercial software. He said that before the MetalGear Trojan is installed, the user must approve the installation, then approve it again after being told that its not a signed application.
He said smart phone operating systems will require that all applications be signed before installation in the very near future, which also would tend to limit the spread of viruses.
While the Trojan attacks try to disable SimWorks anti-virus, phones using competitor F-Secure are unaffected. F-Secures Travis Witteveen said that while this weeks threat means little to the user community, its still serious. “This is becoming a major issue,” he said, adding that its a “warning to industry that its happening already.”
If companies are proactive now, Witteveen said, they can avoid the virus battles that affected the PC industry. He noted that Nokia is the first manufacturer to include anti-virus capabilities in its phones, and that Vodafone is the first wireless carrier, but he added that a number of other companies will be adopting anti-virus techniques in the near future.
“The scary part is the proof of concept,” Witteveen said. “All of a sudden, youll have copycats by the thousand.”
Golvin, meanwhile, noted that attacks on Symbian-based smart phones are just the beginning. “Its not just Symbian,” Golvin said. “The same thing is true for Palm-based phones or Windows-based phones. The fact that you have an open operating system that can accept new software means that you have this risk.”
Unfortunately, Golvin said he doesnt think the situation is due to improve. “I expect it to get worse,” he said. “With all of these mobile phones out there with richer operating environments, the number of targets is increasing, which means more interest on the part of the attacker.”
He also said he thinks that at least initially, some efforts by wireless companies to solve the problem will be short-lived. “Its an arms race. The attacks exploit weaknesses, the weaknesses get patched, and away we go,” Golvin said.
Both Golvin and Witteveen said they think the solution lies with both the phone manufacturers and with wireless carriers. Golvin said he thinks the most successful approaches will be through the mobile phone operators, which he says have an obligation to provide a secure network.