WASHINGTON — Early this month, Web sites began offering software promising ring tones and screen savers for certain cell phones. But those who downloaded the software found that it turned every icon on their cell phones’ screens into a skull and crossbones and disabled their phones so they could no longer access text messages, contact lists or calendars.
Security experts dubbed the virus Skulls and consider it an early warning of the damage hackers could do as they turn their malevolent talents from computers to cell phones.
“Hackers are simply trying to put it out there that it can be done,” said Vincent Weafer, senior director of security response for Symantec, a security software firm. “The motivation is to say (cell phones) aren’t as secure as you think.”
Mobile phones are a tempting target because they have become so much a part of everyday life. In addition, consumers are buying “smart phones” with Internet connections that provide an easier pathway for cell-phone infections. Few phones come equipped with anti-virus protection, although some companies are starting to install it. Most cell-phone users aren’t on guard for viral infections like those that periodically bring down computers worldwide, and at this point there is little they can do to protect themselves.
“The impact is potentially larger on the phone because we’re not savvy about that,” said Victor Kouznetsov, senior vice president of mobile solutions at McAfee, a security software firm. “Also, the profile of a mobile society is a cross-section of society who are potentially less (technically) savvy than computer users.”
Skulls is one of five cell-phone viruses identified this year, security experts and analysts say. The scale of such attacks is hard to quantify because the federally funded CERT Coordination Center at Carnegie Mellon University, which monitors Internet viruses and worms, does not separately tally reports of cell-phone viruses.
But there are anecdotal reports. In Japan, cell phones frequently have been “spammed” with junk messages, some of which redirect phones to Web sites that cause the phones to crash.
Most basic phones can send and receive text messages, which makes them vulnerable to some attacks. And new ways of using cell phones encourage the spread of viruses. Cell phones can transfer infections when users play online games or participate in a dating service that allows them to contact strangers in the same room via text messages.
The potential for trouble increases with smart phones. Like computers, the newer phones can run e-mail programs and download PowerPoint slides, games and other applications that can come with viruses attached. These advanced phones make up 2 percent of cell phones in the United States, according the Yankee Group research firm. But Yankee Group expects those numbers to increase to 17 percent by 2008.
Furthermore, existing anti-virus software for computers hasn’t been programmed for cell phones.
“By 2006, cell-phone viruses will be what viruses are on the Internet in 2004” because cell phones are in many ways becoming more like miniature PCs, said John Pescatore, an analyst with Gartner, a technology research firm. “First it will be a nuisance. The next phase will be crime, like theft or theft of service, and then after that we’ll start seeing different types of attacks” that bring down networks, he said.
Cell phones use a number of operating systems, meaning hackers must design separate programs to disable each one. That makes it harder to design a mass attack.
“It’s never going to be as uniform a landscape for hackers,” so it’s not clear how broad an attack might be, said John Jackson, an analyst with the Yankee Group.
Still, concerns are growing because of the growth in the use of cell phones. There are 170 million cell phones in use, compared with fewer than 116 million personal computers, according to the Cellular Telecommunications and Internet Association and market-research firm IDC.
Experts have tried to anticipate how big a problem viruses might be by simulating attacks on cell phones in software labs. They have found e-mail viruses can multiply on their own by sending messages through a cell phone’s address book. Viruses can allow hackers into a phone to access passwords or corporate data stored on the device. And they can be used to manipulate the phone to make calls or send messages at the phone owner’s expense.
“The nightmare scenario with cell phones is a virus that would delete the contents of your phone or start calling (a toll number) on its own from the phone or recording every single one of your conversations and sending the recorded conversation somewhere,” said Mikko Hypponen, director of anti-virus research at F-Secure Corp., a Finnish security firm.
In June, a hacker gang based in Europe that calls itself “29A” released a virus called Cabir. It spread through Bluetooth, a feature on some phones normally used to synchronize phones and computers. It sends wireless signals up to 30 feet, so calendar and contact information can be updated without connecting devices with a wire. But Cabir hijacked that function, sending Bluetooth phones on a search-and-destroy mission to infect other Bluetooth phones, spreading the virus like a sneeze in a crowded room.
The resulting virus called attention to itself through a text message that said “Caribe — VZ/29a!” It also drained cell batteries and killed the phone’s Bluetooth feature. Members of 29A did not respond when contacted through e-mail addresses posted on their Web site.
Once a virus gets out, it’s hard to contain. Cabir was sent to the labs of anti-virus companies but continued to spread. F-Secure said Cabir spread mysteriously last month from those companies’ labs to phones in Singapore. Cases have since been reported in the United Arab Emirates, the Philippines and Beijing. So far, there are no reported cases in the United States, security experts say.
Companies are beginning to respond. Nokia plans to introduce two new phones in coming months with built-in anti-virus software.