Early this month, several Web sites began offering software promising ringtones and screensavers for certain cell phones. But those who downloaded the software found that it turned every icon on their cell phones' screens into a skull-and-crossbones and disabled their phones, so they could no longer send or receive text messages or access contact lists or calendars.
Security experts named the malicious software "Skulls" and consider it an early warning of the damage hackers could do as they turn their malevolent talents to cell phones from computers.
"Hackers are simply trying to put it out there that it can be done," said Vincent Weafer, senior director of security response for Symantec Corp., a security software firm. "The motivation is to say [cell phones] aren't as secure as you think."
Mobile phones are a tempting target because they have become a part of everyday life. In addition, consumers are buying more sophisticated "smart phones" with Internet connections that provide an easier pathway for cell phone infections. Few phones come equipped with protection against malicious software, though some companies are starting to install it. Most cell phone users aren't on guard for attacks like those that periodically bring down computers worldwide, and at this point there is little they can do to protect themselves.
"The impact is potentially larger on the phone because we're not savvy about that," said Victor Kouznetsov, senior vice president of mobile solutions at McAfee Inc., a security software firm. "Also, the profile of a mobile society is a cross-section of society who are potentially less [technically] savvy than computer users."
Skulls is one of five malicious software programs attacking cell phones this year, security experts and analysts said. The scale of such attacks is hard to quantify because the federally funded CERT Coordination Center at Carnegie Mellon University, which monitors viruses and other malicious software on the Internet, does not separately tally reports of such problems with cell phones.
But there are anecdotal reports. For instance, in Japan, cell phones have frequently been "spammed" with junk messages, some of which redirect phones to Web sites that cause the phones to crash.
Most basic phones can send and receive text messages, which makes them vulnerable to some attacks. And new ways of using cell phones encourage the spread of viruses. For instance, cell phones can transfer infections when users participate in a dating service that allows them to contact strangers in the same room via text messages or play online games.
The potential for trouble increases with smart phones. Like a computer, the newer phones can run e-mail programs and download PowerPoint slides, games and other applications that can come with malicious software attached. Such advanced phones make up 2 percent of cell phones in the United States, according to the Yankee Group research firm. But Yankee Group expects that share to increase to 17 percent by 2008.
Software that protects computers from viruses and other bad software has not been programmed for cell phones.
John Pescatore, an analyst with technology research firm Gartner, said malicious programs will be as much a problem for cell phones in 2006 as they are for computers today. "First it will be a nuisance," he said. "The next phase will be crime, like theft or theft of service, and then after that we'll start seeing different types of attacks" that bring down networks, he said.
Now, computers are a bigger target. Cell phones use a number of operating systems, meaning that separate programs must be designed to disable each one. That makes it harder to design a mass attack. "It's never going to be as uniform a landscape for hackers," so it is not clear how broad an attack might be, said John Jackson, an analyst with the Yankee Group.
Still, concerns are growing because of the rise in cell phone use. There are 170 million cell phones in use, compared with less than 116 million personal computers, according to the trade group CTIA-The Wireless Association and research firm IDC.
Experts have tried to anticipate how big a problem malicious software might be by simulating attacks on cell phones in software labs. They have found that e-mail viruses can multiply by sending messages through a cell phone's address book. Viruses can allow unauthorized users into a phone to access passwords or corporate data stored on the device. And they can be used to manipulate the phone to make calls or send messages at the phone owner's expense.
"The nightmare scenario with cell phones is a virus that would delete the contents of your phone, or start calling [a toll number] on its own from the phone or recording every single one of your conversations and sending the recorded conversation somewhere," said Mikko Hypponen, director of anti-virus research at F-Secure Corp., a Finnish security firm.
In June, a gang in Europe that calls itself "29A" released a virus called Cabir. It spread through Bluetooth, a feature on some phones normally used to synchronize phones and computers. It sends wireless signals up to 30 feet, so calendar and contact information can be updated without hooking devices together with a wire. But Cabir hijacked that function, sending Bluetooth phones on a search-and-destroy mission to infect other Bluetooth phones, spreading the virus.
The resulting virus called attention to itself through a text message that said "Caribe -- VZ/29a." It also drained cell batteries and killed the phone's Bluetooth feature. Members of 29A did not respond when contacted through e-mail addresses posted on their Web site.
Once a virus gets out, it's hard to contain. Cabir was sent to the labs of anti-virus companies but continued to spread. F-Secure said Cabir last month spread mysteriously from those companies' labs to phones in Singapore. Cases have since been reported in the United Arab Emirates, the Philippines, and last week in Beijing. There are no known cases in the United States, according to security experts.
Companies are beginning to respond. Nokia Oyj plans to introduce two phones in coming months with built-in anti-virus software. "As an industry, it's our responsibility to react very quickly," said Laurie Armstrong, a spokeswoman for the Finnish cell phone maker.
DoCoMo, Japan's main cell phone carrier, launched a McAfee program that can send software over the cell phone network to combat problems with malicious software on its phones. Dozens of smaller companies are also jumping into the mix. Companies such as Trust Digital of McLean and Baltimore-based Bluefire Security Technologies Inc., which is backed by Motorola Inc., are designing software to help companies protect their wireless phones from hackers. Last year, Texas Instruments Inc. started using security technology made by Belcamp, Md.-based SafeNet Inc. in the chips implanted in Nokia cell phones.
"The industry recognizes that today we're in a sheltered environment," said Mark Desautels, vice president for wireless Internet development at CTIA, "but that's not where we're going to stay."
