For profit-malware, targeting mobile phones is not in itself new. Previous mobile malware strains - such as Wesber-A, Redbrowser, and Java Midlet Trojans - also tried to send messages to Russian premium-rate numbers. But these Trojans first required user acceptance for each message and were only able to send messages from inside Russia.

The Viver family is more advanced because it is not subject to these restrictions.

These Trojans affect Symbaina S60 smartphones.

This kind of attack fits with predictions that attackers will move on from PCs to new devices, such as smartphones, RFID devices, etc. ITP Technology reports:

McAfee [sponsor of this community] predicts that the growing smartphone market – which is expected to exceed US$250 billion by 2011 – is too lucrative for cyber thieves to ignore. Greater adoption of these devices, coupled with more users accessing personal and financial data on the phones, will lead to increased phishing attacks, spyware and identity theft.

Eventually, wireless providers will have to provide some kind of protection analogous to fraud limits on credit cards. (For example, if someone uses your credit card fraudulently, your liability is limited to $50). This may come through regulation or the market. I can see some vendor offering a cap on malware generated charges as a competitive advantage over providers that don’t offer such a protection.

I’m more concerned about proprietary information, like sales contacts and internal documents, being stolen from smartphones. I wouldn’t want to store that kind of information without encryption from products like Pointsec or Mobile Armor.

We’ll need policies governing the storage of proprietary information on smartphones. Is your company thinking about how to deal with this or is that still to far ahead for your execs?