The emergence of two new variants of a worm that targets smart phones could signal the beginning of more attacks against such devices, said the security software vendor that discovered the threats.
But some security analysts said that there’s no reason for immediate concern and that large-scale attacks targeting smart phones and handheld computers are unlikely in the short term.
Helsinki-based F-Secure Corp. issued an advisory in late December warning of an increasing number of attacks against smart phones after it found two new variants of the Cabir worm, which first appeared last June and targets devices running Symbian Ltd.’s mobile operating system.
“The thing that concerns us the most is that there is a lot of the original source code for Cabir out there,” said Travis Witteveen, vice-president of the Americas at F-Secure’s U.S. headquarters in San Jose. Thus far, Cabir and its variants haven’t proved to be particularly destructive, he said. But that could change, since the source code is floating about freely, he added. For instance, the new variants of Cabir are capable of fixing a code flaw that slowed the spread of the original version, according to Witteveen.
He said that in addition to Cabir and its variants, new versions of another piece of malicious code called Skulls that also targets Symbian’s software have begun appearing, further raising the potential threat to users.
The increase in malware targeting smart phones is something that IT security managers need to keep an eye on, said John Pescatore, an analyst at Gartner Inc. “But three things have to come together for there to be a real virus threat in the smart phone world,” he said. “A dominant (operating system) platform has to emerge, the phones have to be able to run external software on them, and there has to be more penetration (within companies).” Gartner doesn’t expect those three things to happen until the end of 2006, he added.
Nonetheless, companies that are using PDAs and smart phones should start treating such devices as corporate assets and figure out formal processes for protecting them before the end of next year, Pescatore advised.
“You’d be bordering on the negligent to completely ignore this issue,” said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. But it’s an immediate concern only for companies that are heavily using smart phones, he said, adding that very few are doing so now. “In the real world, you have to prioritize your work, and my guess is that this would be on the low end of that list,” Lindstrom said.