A case in point is a Gartner report, released this summer, that concluded mobile-phone users will not see much virus activity in their mobile devices for at least two years. The report said that, for one, not many U.S. consumers have smartphones with which they exchange executable files. Second, the U.S. mobile-phone market lacks a dominant operating system for virus writers to target.

IDC research analyst David Linsalata presented a similar viewpoint about the impact of a new malware threat that targets smartphones running the Symbian Series 60 operating system. "Viruses and malware are certainly a threat that should be watched, but they are not necessarily an immediate threat," he said.

"These types of viruses only tend to affect smartphones that have the advanced capabilities that can run them," he explained. "With Doomboot.A, once the smartphone is infected, it sends out SMS messages, which drains the battery , and you end up losing your data."

However, the occurrence of Doomboot.A might signal that it is time to review the dangers and determine just what enterprises need to know to protect wireless devices in the hands of mobile workers.

Measuring the Threat

"The threat, meaning the essential impact of losing data to a virus, is pretty serious, and I base that on the extent of mobile connectivity and the damage that could be done," said McAfee Mobile Solutions senior product manager Drew Carter.

The Doomboot.A virus, for example, features an embedded worm called CommWarrior.B that perpetuates itself by sending out a flurry of unauthorized messages using the Symbian smartphone's Bluetooth radio.

The malware program relies on smartphone users downloading infected files onto their handsets, either from the Internet or by way of wireless Bluetooth or infrared connections.

Smartphones represent only a fraction of the total mobile-phone universe, and the Symbian OS is just one system among many offerings for smartphones. However, one disturbing implication of this particular threat is its proof-of-concept demonstration of how to hit user finances by surreptitiously sending out thousands of costly text messages.

Potential Impact

Perhaps the most immediate threat from a smartphone virus is the potential access to contact lists in infected phones. Even worse than inconvenience, such an attack could be costly.

"The biggest threat that I see right now is that Research In Motion's Blackberries and palmOne's PDAs are connected to names and addresses," said IBM Global Solutions Manager for Managed Security Services Doug Conorich.

"If somebody devised a virus sent out with a 'payload pull' and an 'address book out' it could send out messages to all those listed in the [handset's] address book," noted Conorich. "At 10 cents a message or more on some of the [wireless] plans, you can see that that cost to smartphone end-users could add up rather quickly."

And, as mobile malware evolves, the threat to enterprises could become even greater. "If you work for a multimillion dollar enterprise and a virus zips off all your files and sends them to someone else, then that could be a big problem," Linsalata said.

"One of the things that the OS people will have to change is the way that their phones accept applications...so that an SMS message will not be able to download an application and install it on the smartphone, which is the way that the Symbian one works," Conorich said.

Determining Responsibility

The question of who bears the burden of blame and liability is one of the first issues that mobile service providers will have to tackle when mobile viruses become widespread.

"The software vendors that produce mobile phone operating systems definitely have the responsibility of issuing patches to their products," said McAfee Mobile Solutions senior vice president Victor Kouznetsov. "But this is a totally separate issue from determining who is responsible for protecting smartphone users from a financial standpoint."

In today's wireless world, most operators focus their sales efforts on individual consumers despite the increasing popularity of taking enterprise data mobile, noted Kouznetsov. So the temptation is to blame the individual end-user.

Kouznetsov admitted, however, that antivirus tools are not yet widely available for mobile users. Thus, dealing with malware is currently outside the scope of individual subscribers.

"At this point it is the wireless operator's financial responsibility to address the issue," advised Kouznetsov. "Otherwise, consumers might feel threatened into not buying a Nokia phone running the Symbian OS."

Pressuring Wireless Carriers

In the U.S., cell-phone manufacturers are not directly accessible to the consumer, whether the user is an individual or a company buying many phones. The wireless provider selects the phones available and handles the configuration options. So the phone users have to rely on the service provider on matters involving virus protection.

"Enterprises, therefore, would be well advised to contact the operator they are using and standardizing on, and then demand that the operator include the technology and provide it on their handsets, or ask whether the operator will be including it in the future," Kouznetsov said.

Wireless carriers already are starting to feel the responsibility for embedding protection into their networks. In fact, McAfee already provides Japanese carrier NTT DoCoMo with malware-protection software that has been embedded in seventeen different phone models, Kouznetsov said.

"For the carrier it could be a powerful differentiating factor to say, 'We will protect you and make sure you are secure,'" Linsalata suggested. "But I can't see a carrier simply saying, 'You will always have antivirus protection and we will provide it for you.'" Linsalata sees malware protection emerging as a series of partnerships between wireless providers and security vendors.

Requirements for I.T. Managers

Another challenge that enterprises face is establishing the right standards and policies for the mobile workforce. "Mobile devices are often purchased by individuals who also want to access enterprise resources," Carter said.

"But does this really make sense? Today the technology is somewhat immature, but as it reaches a higher level of penetration, companies will need to adopt a more sophisticated approach," he suggested. "The other option is for enterprises to provide the mobile devices and set the standards, so if mobile workers want to connect to the network, then they need to buy these devices."

Despite all the malware hoopla, many viruses can be defeated using common sense. Mobile-device users will have to start following the same safe-use practices that they should be using on their computers, security experts emphasized.

"If you get a file from a friend, make sure he really wants you to install that new game or whatever," Linsalata said, adding that smartphone users should look for the industry certification standard for smartphones running the Symbian OS before installing anything. "If you get a message that the program is not Symbian Signed, first ask yourself whether you are really sure you want to install it," Linsalata said.

Bigger Enterprise Concerns

Going forward, one key for enterprises is to stay aware of this problem. According to Linsalata, mobile malware will only grow into a more significant threat as time goes on. But at the moment, the bigger concerns enterprises face are much simpler, he said.

Enterprises should remain centered on physical device security. They should concentrate on being able to wipe devices remotely and make sure that policies for passwords and data encryption are in place.

"Make sure the devices are physically secure with the data they contain backed up and encrypted," Linsalata said.

These more pressing needs should take priority because anyone can lose a device, but not everyone's device can get infected by a virus, at least right now, Linsalata said. "Focus on the more pressing security concerns about theft or physical loss in some other capacity," he added.