Last June, the first Cabir worm appeared in a Symbian-based mobile phone. Dubbed Cabir, the worm was unique among mobile virus threats because it didn't use the wireless network to propagate. Instead, it was passed along via phones' Bluetooth connections. Once Cabir got into its first phone in Europe, it immediately took over the Bluetooth functionality of the phone and began scanning for other Bluetooth ports. When it found one, it replicated itself, burrowing into the new handset, which in turn began its own Bluetooth scanning process, and so on — ad infinitum.

“Cabir is like a disease,” said Travis Witteveen, vice president of North American operations for F-Secure, an antivirus developer. “It's contagious to any phone within 20 meters. We had to go to a bomb shelter just to test it. Our labs are secure, but Bluetooth projects in every direction. We couldn't take the risk of infecting someone's phone two floors above us.”

Cabir sounds just plain nasty: It can target any phone with a Symbian operating system (OS) and a Bluetooth connection. It can sneak into a device and lodge itself in the unit's systems files without the device's owner ever being aware. It bypasses wide area wireless networks, circumventing all of a carrier's anti-virus and security measures. One person walking onto a crowded a commuter train could instantly infect 100 phones.

The odd thing is that Cabir didn't cause any havoc. The damage it caused was negligible. It didn't destroy any files or initiate any short messages or voice calls, nor did it steal any passwords or personal data. It drained battery power from infected phones because of the constant scanning through Bluetooth, but otherwise the only thing Cabir did was replicate itself. That's why security experts call Cabir a worm and not a virus. It had no harmful payload. Cabir was simply a delivery mechanism with nothing to deliver.

Cabir's first incarnation, known as Cabir.A, is known among anti-viral experts as a “proof of concept” — a malicious code developed by hackers to show that they could cause widespread damage in the mobile network but, at least for now, are choosing not to. Just as hackers routinely attack Windows-based servers and PCs to demonstrate security holes in Microsoft's code, Cabir's authors, the hacker group A29, are demonstrating the severe vulnerability of mobile devices.

But don't get the impression that A29 is in the business of public service, Witteveen said. A29 even delivered Cabir's source code directly to F-Secure and other antivirus companies' doorsteps, basically taunting the people who are trying to stop them.

In fact, A29 appears to have gone well beyond taunting. In December, the group published what appears to be the Cabir source code for the global hacker community. Between its June launch and Dec. 9, only two variants of Cabir appeared — but in less than a month, eight new variants popped up as hackers began unleashing them in 10 different countries. The variants produced no major damage, but Witteveen thinks it is only a matter of time before a Cabir variant is launched that does carry a dangerous payload.

“These are just the first viruses we've seen in the wild,” he said. “Their penetration has been small, and they've caused relatively little damage. Anyone who wants to do any real damage won't focus on the mobile phone. The question is, are we going to do what we did in the PC world and wait for something to happen, or are we going to learn from the past and deploy the necessary infrastructure?”

The industry has already answered Witteveen's question, at least in part. While antiviral software is by no means a standard component of all handsets, Nokia recently started shipping its first smartphones with F-Secure's antivirus solution pre-loaded, and has contracted with Symantec to do the same with its software. Some European carriers have even started offering virus protection as a premium service, charging customers a monthly charge to manage and update security features on their handsets.

Even the technology is improving. Over-the-air firmware update developer Bitfone just announced a partnership with PC security outfit McAfee to incorporate Bitfone's Smartcare OTA technology into McAfee's mobile security software, allowing carriers or security providers to automatically upload the security definitions and software upgrades into a handset via the network as soon as a new threat appears.

Gene Wang, Bitfone CEO and former Symantec executive vice president, said the industry still hasn't figured out a business model for wireless security because there are still relatively few smartphones on the market, and the threats to them so far have been minor. But as smartphones proliferate and attacks increase in frequency and damage, carriers and vendors will have to work on how exactly to offer protection to their customers, either as a paid monthly service or as part of their overall data offerings.

“We're just in the early days, and most users don't need antivirus protection,” Wang said. “Just like you don't have to worry about your refrigerator or your toaster getting a virus, you don't have to worry about your phone getting a virus. But wait until these devices start getting more PC-like.”

Most virus and worm attacks have been limited to smartphones that use the Symbian OS, particularly Series 60 devices. The explanation is simple: Series 60 has the highest penetration of OS-based smartphones in the world. There are 18 Series 60 smartphones and communicators launched to date spread over 100 different operators' networks globally. In 2004, 20 million individual Series 60 handsets shipped, and Nokia estimates double that number will ship this year.

But that doesn't mean hackers haven't paid any attention to other OS platforms. Symantec mobile security product manager Matt Ekram said that malicious codes for Microsoft Windows Mobile and PalmOne devices have made brief appearances. In June, the first proof-of-concept virus targeting the Pocket PC — a virus called Dust — emerged, spreading itself but doing no damage. Just two months later came Brador, a Trojan horse that attacked the entire Windows Mobile platform. Unlike Dust, Brador lodges itself in system files and sends back the IP address of the handset to the hacker that launched the virus, allowing that hacker to remotely take control of the phone.

And while Cabir may be the most common virus over Symbian phones, Ekram said other far-less benign viruses have been released. A virus called Skulls has replaced application files on some Symbian phones, leaving its hallmark — a series of skull images — across the handset display. Another, called Mosquito, hides itself in a game of the same name and forces the phone to send SMS messages to premium numbers without the user knowing.

“You have to understand the behavior of the hacker,” Ekram said. “Hackers are learning the environment. Their understanding is still limited, but as their understanding increases, the threats will become much more severe.”

There is a general consensus among the security community that the big viral onslaught will come when there are enough smartphones in the market to have a real impact. Right now the number of smartphones in customers' hands is so low, and the OSs they run on so fragmented, that any major attack — while devastating to the customers affected — would have relatively little impact on the mobile handset-using public in general. Hackers are out for headlines and their own edification, said F-Secure's Witteveen, and to them, launching a major attack now would be pointless.

But come the day that smartphones are as common as today's camera phones — and, more significantly, that customers come to rely on them as information and computing tools — and the hacker community will seek to cause some real damage.

“Hackers have already shown that they can get into your phone,” Witteveen said. “It's a ‘been there, done that’ dead-end in the hacker community. “The next big attack, though, will seek to cause some serious financial havoc.”

That day could come sooner than the wireless industry might expect. Smartphones are gradually coming down in price, and sales are picking up. Microsoft has started making headway in bringing its Windows Mobile software to the wider wireless world, and while its smartphone sales are still lax, the company recently surpassed PalmSource in sales of PDAs carrying its OS. PalmOne, meanwhile, has had a lot of success in the smartphone space, driven by its Treo platform.

And there have even been hints that Java phones could become a target for viruses. Java has been shielded from viruses so far because of the extremely fragmented nature of Java technology. Each handset almost exists in its own software vacuum, making it impossible for a hacker to write code that could target a wide range of devices. But there are efforts from vendors and carriers, most notably Vodafone and Nokia, for greater uniformity in Java across mobile devices. While such uniformity would allow for much more functionality in Java-based phones, hackers could use that same uniformity to write malicious viruses targeting a much broader range of handsets.

Last month, both Nokia and Symbian announced they have revamped the latest releases of their software to target mass-market phones. Conscious about the security implications of such a move, both companies built new security measures into their platforms that basically prohibit unsigned and uncertified applications from accessing the more sensitive components of the handset. But Series 60 Version 3 is intended to bring the smartphone down to the sub-$200 range, potentially making the majority of workaday handsets eligible for an OS. That could mean hundreds of millions of smartphones in the market in just a few years — just the penetration level hackers are waiting for.

One consolation for U.S. carriers is that almost all of the virus attacks so far have been confined to Europe and Asia. Even the relatively widespread Cabir and Skulls, while appearing from Finland to Russia to China, never made it onto a North American phone. Part of the reason is the low penetration of the Symbian OS among domestic carriers. But it only takes one jet-setting executive — with a roaming GSM phone and a wide-open Bluetooth port — on a plane heading over the Atlantic. In February, Cabir finally made that journey, popping up in a Symbian handset in Santa Monica, Calif. Cabir is now — as virus experts say — “in the wild” in the U.S.