In the wake of reports that a mobile trojan dubbed Redbrowser.A had been encountered in Russia, the major security firms working in the mobile space issued cautious alerts to their clients and made restrained public statements. The muted response seemed to reflect the stance of the most credible security firms, as their business depends on not hyping threats as they work on preventive security measures and stay abreast of actual security threats.
Though Redbrowser.A appeared to be a proof-of-concept trojan, according to at least two major security firms, it remained unclear to the security firms whether it had been intended as a proof-of-concept challenge or actually had been released “in the wild,” affecting actual users.
Redbrowser.A appeared in the Russian language and thus posed, at worst, a local threat. It also required repeated permissions from the end user to activate it, and thus could be easily thwarted by being ignored by knowledgeable subscribers. Redbrowser.A reportedly could not passively affect a mobile handset, nor could it transfer itself from one device to another. Still, it drew reassurances from major players such as Sun Microsystems Inc.-creator of J2ME, which was implicated in the workings of Redbrowser.A-and security firms, while generating chatter among security-focused analysts.
The event underscored that industry efforts to deal with threats to mobile security were begun early and remain ongoing, largely behind the scenes. Carriers traditionally have focused on network security and, in some cases, handset security, while handset vendors are incorporating security measures on handsets or via downloads. Neither party makes an effort to garner publicity for their efforts, perhaps for obvious reasons.
“We don’t want to call attention to our security efforts, but we want to support our customers,” said Cingular Wireless L.L.C.’s Kelly Williams, the carrier’s executive director of technology who is responsible for security. “Our best advice is: what you wouldn’t do on your PC-for instance, download files of unknown origin-don’t do it on your phone.”
The carrier takes steps to notify pertinent subscribers of relevant threats and partners with McAfee Inc. to make downloadable anti-malware programs available, Williams said.
According to Janne Uusilehto, a senior technical manager for Nokia Corp., handset vendors and network operators are cooperating in the security space because it is an industrywide concern. For Nokia’s network infrastructure business, security is a “key differentiator,” while the firm’s handset side does little marketing on security for consumers, preferring to make security applications available with little fanfare.
Redbrowser.A drew attention, in part, because it is a Java MicroEdition J2ME applet that pretends to be a mobile Web browser that uses text messages rather than the air interface to transmit Web pages, according to McAfee. Previously identified mobile pests targeted advanced phones that run on the Symbian operating system. At least one observer in the mobile security arena believes that Redbrowser.A’s most serious advancement is its use of J2ME, in widespread use in many handsets on the market.
Anton Von Troyer, marketing manager for the Finnish security firm F-Secure, said: “Currently, the threat is not very serious. There are about 170 mobile viruses out there in the world, most are made for Nokia Series 60 phones that use Symbian OS.”
Von Troyer said the Redbrowser.A is not a serious threat because it requires the user to accept the installation. However, due to some users’ unfamiliarity with various phone functions, they could make this mistake.
Perpetrators of the Redbrowser.A conceivably could profit by setting up a third-party entity that offers a service akin to a 900 phone-number service and then directs, via the trojan, the handset of the unsuspecting subscriber to purchase that service, said Victor Kouznetsov of McAfee. Kouznetsov’s firm identified the third-party code within Redbrowser.A, but could not connect it to any known entity in the short period that Redbrowser.A appeared to have been active.
“Currently we consider the threat level to be relatively low,” Kouznetsov said. “Over the last two years, several proof-of-concept malwares have been created, primarily on high-end smart phones like the Nokia Series 60. Since the penetration of those devices is small, we don’t consider them a major threat to the overall population, although we have seen reports from end users and our partner network operators that those malwares and worms actually have propagated to a number of handsets. The operators are taking preventive measures to block them.”
Asked to compare the state of the mobile industry’s situation today to the PC security industry-a comparison that many in the mobile space reject for various reasons-Kouznetsov said: “We’re now circa 1991. In 1988, we saw three viruses. By 1991, we saw interest developing and we were no longer in the single digits anymore. In the mobile space we now see nearly 200 variants of four or five basic creations. So we’ve definitely crossed a psychological barrier where people thought it was not possible to yes, it’s possible.”
McAfee’s view of what would constitute a watershed event for security in the mobile telecom industry?
“In the PC world, I cannot think of any watershed event that triggered mass adoption of security technologies,” Kouznetsov said. “Adoption began with enterprise, but mass-market consumers didn’t become aware of the issue for a decade. The mobile ecosystem is driven by network operators, in a financial sense, and I would say the trigger in the mobile space would be financial implications for operators before there is mass adoption of security technologies.”
“The tricky part in our business,” Kouznetsov added, “is that while we have worked with various players for some time, they typically prefer not to announce it until they can openly talk about it.”
Operators don’t want to roil their subscribers with unnecessary concerns, Kouznetsov said, and there’s some denial. “There’s still a notion that mobile telecommunications is immune to the problems experienced in the PC world,” he said. And there is a sense that the mobile industry wants to distance itself from the PC experience that preceded it and today is plagued by malware.
Asked whether he anticipated the hop-scotch pattern of antivirus work in the PC world-a virus exploits a weakness in a current program and programmers rush to prevent the vulnerability and the process repeats itself-would play out in the mobile space, Kouznetsov said: “We try to be a couple steps ahead of the `bad guys.’ We recognize that the mobile space is different and we have to be more proactive in designing technologies capable of meeting future threats.”
“The reality is that automation is automation and technology can be used for good purposes and it can be abused,” Kouznetsov concluded. “So I think that psychological barrier is being crossed right now. In light of Redbrowser.A-which conceivably might work on perhaps 50 percent of all phones-some folks have called us and said, `Can we talk again?”‘
