Skip to Main Content
Compared to what we know about malware for desktop and server systems, we know almost nothing about malware for smartphones and similar mobile devices. With the growing ubiquity of such devices, they are becoming increasingly popular as attack targets. The ultimate target for an attacker would be to create a smartphone worm which autonomously spreads between devices. In this paper we focus on devices running the Windows Mobile operating system. In particular we investigate the effort needed to create a smartphone worm for the recent version 5 of Windows Mobile. We measure this effort in work time by a skilled individual using modern tools and software engineering techniques. We found that it takes roughly 600 work hours (14 weeks of full time work) to come very close to the target. Our work highlights the strengths and weaknesses of Windows Mobile version 5 over the previous version 2003 as well as the general difficulties of attacking AR,M-based architectures. The insights from our study can be used to estimate lower bounds of cost-to-break metrics for current and future versions of Windows Mobile.