Mobile phone and PDA users have more than two years to get ready for a quick-spreading worm, security research analysts said Tuesday as they poked holes in anti-virus vendors' hype about the immediate need for defenses.

"Anti-virus vendors see huge potential profits in selling security to billions of cell phone and PDA users," said John Pescatore, vice president and research fellow with Gartner. "In particular, the anti-virus industry sees cell phones as the way to grow sales outside of a flat, commoditized PC market."

Client-side anti-virus software meant for cell phones and PDAs "certainly work," said Pescatore. "They've got the products, but they're not selling them."

In part that's because the threat of a fast-spreading malicious worm or virus has been overblown by security vendors. In fact, the conditions for a real threat -- one that has the ability to infect more than 30 percent of mobile devices used in the enterprise -- simply don't exist.

And won't until the end of 2007.

The three factors that must exist before a Slammer- or MSBlast-style attack hits mobile devices, said Pescatore, are the large-scale adoption of smart phones, ubiquitous uses of wireless messaging to exchange executable files (as opposed to non-executables of today, like photos and ring tones), and the convergence of operating systems to the point where one enjoys a majority share of the market.

Those three conditions won't co-exist until around the end of 2007, said Pescatore and John Girard, another analyst at Gartner, who with Pescatore, authored a recently-published research note.

"There will have to be much better interoperability between mobile devices before a wide attack is possible," said Girard.

Both Girard and Pescatore believe that end-point security solutions for smart phones, cell phones, and PDAs are a waste of time. "Smart phone or PDA anti-virus approaches that rely on device software will always fail to block the most damaging viruses," the pair wrote.

Instead, said Pescatore, businesses need to ask their mobile carriers what they're planning on doing to block worms and viruses at the network level. "By the end of 2006, all wireless service providers should be required to offer over-the-air mobile malware protection," he added.

The one monkey with a wrench, said Pescatore, would be an attack based on a carrier's own over-the-air provisioning capabilities. Newer phone operating systems let carriers do automatic updating using OTA.

"If the OTA path is vulnerable, attackers would not need to use viruses or worms to spread malware, because they could install it directly," Pescatore and Girard wrote in their report.

"It would be like if someone hacked into Comcast," said Pescatore, "or Microsoft's Update service, and used the ISP or an update to install files, either automatically or by pretending to be from the ISP."

Pescatore doesn't discount that possibility. A 13-year veteran of phone giant GTE before joining Gartner, Pescatore said "hackers were like termites in the system even then, and those were 'dumb' phones."