Experts Differ on Long-Term Threat of Mobile Phone Viruses
Mosquitoes spread viruses-but it's not just humans who get sick. In the spring of 2004, a Trojan horse version of the mobile phone game Mosquitoes spread a virus to devices running the Symbian operating system's Series 60 interface. According to the anti-virus firm F-Secure, the Trojan would become the first recorded mobile malware: a virus targeting mobile phones. A couple of months later came a bigger threat-Cabir.
For the Mosquito Trojan to load, a user must ignore operating system warnings that the identity of the developer is unknown. Then an additional warning comes up courtesy of the Trojan, itself: "This version has been cracked by SODDOM BIN LOADER No rights reserved. Pirate copies are illegal and offenders will have lotz of phun [lots of fun]." Left to run, the Trojan will send messages to one of four premium rate numbers in Europe. In an FAQ, Symbian noted that the Mosquito manufacturer may have created the virus as an experiment to discourage piracy. The company noted that its "Symbian Signed" program warns of any application which is not validated for the OS with a digital certificate. The fix is simply to uninstall the Trojan.
Malware propagating via Bluetooth is an obvious threat, particularly in sports arenas and other places where a lot of people are apt to be using their phones. Another "breakthrough" in mobile malware came with CommWarrior.
How serious? Depend on who you ask
Most mobile device viruses to date have attacked the Symbian OS, which is primarily used in Europe. Symbian Ltd. itself is based in the United Kingdom, with office in Japan, Sweden, and India. (The company is jointly owned by six companies-including Nokia, which has a 48 percent share.) Not surprisingly, two anti-virus companies that have long tracked the problem are European: Sophos, which is based in the UK and maintains a sales office in Yokohama; and F-Secure, based in Finland. Spokesmen for the two companies agree that the immediate threat to mobile phone users is minor-but they disagree on the potential severity the threat tomorrow.
"Today if I have a smartphone, I'm not worried about being infected today or tomorrow," said Travis Witteveen, vice president of North Americas for F-Secure, who is based in the Silicon Valley. "The fear is not there. The volume of activity is not there." But, he says, the activity is rising. The details of Cabir were written up in November 2004, "and all of a sudden by the end of January 2005, we have eight different variants" propagating not only by Bluetooth, but also by MMS. "We now have now 18 different variants out there of Symbian-based viruses or malware." And that proliferation is a concern for the future, as more sophisticated mobile phone operating systems grow more popular. "We know that this will be a major issue when standard OSs are proliferated in large volumes. There are communities out there that will take advantage of those systems to earn money, to cause damage, to gain fame. It will come. The danger in the future is very high."
Witteveen says that the Symbian OS is a target because it is one of the few mobile operating systems that runs across platforms including Nokia, Sony Ericsson, and Siemens. "Symbian's smartphone operating system already has a very high penetration rate in Europe, with lower level phones running the lower level Symbian OS." As a result, he says, a virus writer targeting Symbian can hit a large number of devices. But while Symbian devices in Europe remain the primary target, mobile malware is starting to appear around the globe. Japan, he says, has been somewhat insulated because of its use of the iMode OS.
An F-Secure white paper declares: "Terror runs on wireless lines: a 10 month chronicle of attacks." But Graham Cluley, senior technology consultant for Sophos, thinks the threat is overstated. He says that the company gets "more calls from journalists writing stories on this subject than we ever have gotten from people who have been infected. At the moment, this seems to be rather a lot of hype. We're not getting reports from our customers around the world of infections. I think it's a distraction from where the real virus problem is, which is on Windows, which is happening every day. I think some vendors are talking up the mobile phone virus because it is sexy and interesting and they get some media coverage. But it's not doing a service to people out there who might be panicking about something which is not that real."
One reason mobile phone viruses aren't infecting the world is that the basic phones most people use aren't sophisticated enough to host a virus. While mobile phone carriers like data services because they bring in additional revenue from the same network infrastructure, even email and MMS don't necessarily require a smartphone. And most mobile phone users still use their devices for their primary purpose: making calls. "There is still quite a leap between an entry level phone-that would be satisfying to the vast majority of customers-to smartphones, which are often bulkier, with much more functionality than you would ever need," Cluley says.
That could change, of course. Conventional wisdom has it that in the United States, at least, customers change mobile phones every 18 months, because carriers will subsidize-or give away-new phones when subscribers renew their service contract. As that happens, the subscriber expectations invariably rise. At the high-end, cell phones could ultimately become the MP3 players of choice. Long term, people still talk about full convergence: a single device that does voice, email, SMS and MMS messaging, browses the Internet with access to streaming audio and video, locate you through a global positioning system, let alone hosting games, handling downloadable ringtones and screensavers. Already, some Nokia phones now resemble tiny laptops.
If smartphones become cheap and easy enough to become the standard-issue mobile phone you can't leave behind, won't they collectively act as a giant Petri dish for viruses? Cluley doesn't see it. "In 1999 some of our competitors were predicting an avalanche of mobile phones and PDA viruses-it's just around the corner. It's now been six years since they said that and it hasn't really happened. The majority of viruses today are being written for criminal financial reasons-to steal your credit card and login information, to do identity theft. The guys who are making money that way are having a fantastic time just attacking easy-to-hit Windows computers, many of which haven't been patched, where they have 100,000 other examples of viruses targeting the same platform. They don't even have to do the R&D."
Cluley has been working in the anti-virus field since 1991. Back then, there were only about 400 viruses. Now he sees about 1200 a month. He says that Cabir, like most viruses, is more "a conceptual threat." It consumes processing time and some memory space but doesn't destroy data. "A lot of viruses that travel around today don't aim to wipe your hard drive, because that's too obvious. Instead, a lot of them try to take over your computer in some way. "Cabir came out in the middle of 2004. Since then, we have seen other Cabir variants come out-so people got hold of the source code and wrote slightly different versions. We began to see Trojan horses as well, which were placed up on websites, all sent directly to the anti-virus community. Most of these, if they had any spreading mechanism at all, were spreading by Bluetooth, like Cabir does. It finds a compatible platform within 30 feet of itself, then the user has to accept the communication in order to run the application and be infected. None of them has caused many problems. And then we saw a thing called CommWarrior, which can spread not only by Bluetooth, but by MMS."
By contrast, MMS-propagated viruses can be propagated around the world. But because they go through the carrier, rather than directly from one device to another, they are also more likely to be detected by the carrier-at least if the carrier is looking. "If you're sending a Bluetooth message to someone, the mobile phone operator doesn't get to see it. If it is an MMS message, then in theory at least the mobile phone operator can see your message and could scan it as well," he said. Cluley argues that the related mobile phone annoyance-SMS text spam-is growing scarcer because carriers are doing their job. "A lot of text messages are being sent from regular computers, and that's something the mobile service operators can intercept. They look to see where the spam is coming from and shut down the place that is sending it. They can also do an analysis on the kinds of messages sent. For instance, most spam includes some kind of call to action, such as going to a Web link. So one approach is to follow the trail back. Even if it is a brand new spam campaign and a brand new website, if you know who owns it, you can block it."
PC spam itself is becoming less profitable, he says. "Mature anti-spam products today can detect over 98 percent of spam and block a lot of it. We've got researchers working round the clock who are developing new techniques to do that. So not only are there now fines and jail sentences for spammers, but spam is just no longer as effective a marketing model as it used to be. Even if they aren't running anti-spam software, people are just automatically pressing the delete button. So while this is not the death of spam, some spammers are now moving into things like spyware and identity theft instead. They can exploit the Internet in other ways to make money."
F-Secure's Witteveen thinks that the profit motive could eventually come to mobile phones, as well. He says that mobile phone malware is where PC viruses were in the 1980s and 1990s. "Today, mostly just vandalism. But we are convinced that just as in the PC world, it will turn into more of business, with people trying to figure out how to generate revenues. We already have seen a few viruses that dial pay-per-minute numbers on a random basis, for just a few minutes, so the user might not notice it on his monthly bill. There's also a lot of talk right now of how can I use that GSM or smartphone to make financial transactions, rather than pulling out a credit card. Well, the moment phones are able to do financial transactions, malware writers will try to figure out how to make money, as well."
Cluley thinks that most prevention measures will eventually take place at the carrier level. "On mobile systems, most of the anti-spam software is less developed, and not many people have it on their mobile device. But the service providers are aware that spam is becoming a nuisance. Some already are beginning to block it, and are asking their users to tell them about spam they receive so they can investigate it. But I can't imagine that spam on mobile phones is ever going to be as big a problem as it has been on regular computers.
Witteveen, on the other hand, thinks the responsibility for repelling spam will eventually rest with end-users. "You can't avoid it. In PC world, everyone tried to protect their networks by putting on gateway devices. That works as long as I have a device that protects all my other devices." He likens this scheme to a castle-as long as you don't need to leave, you can just pull up the drawbridge. But consider the Nokia 9210 Communicator, a combination phone and browser, with office applications. "It has wireless LAN and well as GSM and therefore can communicate on a wireless network at a Starbucks, just as easily as it can communicate over the cellular network. So where's the gateway? Cabir propagates with Bluetooth device to device, which means it doesn't matter what my gateway is doing at my cellular provider. That's what we see in the laptop world too. A remote user goes out, puts a CD in his computer, and gets infected, even though his company has spent the $500,000 on the big gateway device to protect those systems."
Social engineering the common denominator
Aside from the limited number of Symbian OS-based phones, the factor that has limited damage so far is that mobile viruses still require user approval. "We haven't yet seen one that has been able to spread and infect itself without user interaction," says Witteveen.
Cluley says that viruses aren't "exploiting any vulnerabilities in the Nokia or Symbian operating systems. They are exploiting vulnerability in peoples' heads. When people receive a message they don't really understand, they press the wrong button and they accept the communication. Or they see a message with a security warning that you shouldn't load unknown applications." They're asked if they want to continue, and for whatever reason, they click 'yes.'" Cluley says that Bluetooth file exchange is roughly analogous to a conventional email attachment. But whereas most Windows users expect to receive email attachments, "with mobile phones it's a much less usual experience-which might be why mobile viruses been less successful than traditional viruses."
Witteveen says that the social engineering used by mobile device viruses is a bit different than the PC equivalent. Nobody is clicking on an email pretending to be a love letter. "People are just curious," he said. "They say: 'what the heck is this?' and they accept it." Witteveen said he is surprised by how people will eventually give in, if the application is persistent enough. "We interviewed one guy who said he kept saying 'no' many times, but eventually just said 'yes' to get rid of the message."
In other words, smartphones will require smarter users. PC users have learned not to open every email attachment and take care when downloading applications from unknown sources. Mobile phone users will need to learn the same. Of the three propagation methods to date, Trojan horses are the most preventable. If you don't try to get something for nothing, you will almost certainly be safe. Bluetooth propagation is more problematic, but the obvious precaution of not accepting transmissions from unknown parties will work. MMS messages are the most tempting because they appear to come from people you know. An obvious fix would be for carriers to better scrutinize MMS-based applications.
And ultimately, this will be a problem carriers will need to solve: whether by adding anti-virus software to the phones they resell, better monitoring of MMS messages, educating their subscribers, or some combination thereof. The solution will need to be transparent because the phone is already the universal device. (In Japan, you seem to be approaching the day when kids will be issued mobile phone number at birth. We in the United States are further behind, but-as with SMS messaging-we are catching up.) So if a cell phone is to be found in every pocket or purse, the solution will need to be just as universal: so easy to implement that even an adult can figure it out.
Sidebar: A Brief History of Mobile Malware
Mobile viruses have roughly followed the path of PC viruses. The first attacks are simple, functioning mostly as a proof-of-concept. Later work appears to use the same code with minor variations. The following timeline is based on information collected by F-Secure, including F-Secure's entertaining, if slightly terrifying, blog: "News from the Lab":
f-secure. com/ weblog
- Spring: Mosquitoes Trojan appears-possibly the first mobile device virus.
- June: Cabir.
A becomes first mobile phone virus to spread via Bluetooth. One day later, Cabir. B starts spreading, primarily in Asia, Turkey, and Finland.
- July: Duts becomes the first known virus to attack Pocket PC devices. Duts is 1520 bytes long, written in assembly for the ARM processor. Infected programs ask the user's permission to spread before infecting other programs. Another Pocket PC virus, Brador, appears the following month.
- November: Skulls.
A., a Trojan appears on shareware websites, hiding behind files named "Extended Theme Manager" and "Timer Room." Once installed, the Trojan blocks the functioning of smartphone applications, allowing the user only to make or receive phone calls. Skulls are substituted for the usual icons. Removal is difficult, sometimes resulting in the loss of all user data. Skulls. B follows 10 days later.
- December: New versions of Cabir appear: through Cabir.
I. So does a Trojan version of the game "Metal Gear Solid," installing versions of Cabir and Skulls.
- January: Lasco.
A replicates the behavior of Cabir, while also replicating by inserting itself into other SIS files found in the device.
- February: the Locknut.
A Trojan (also known as "Gavino. A and B") aims at the Symbian 7. 0 OS, with effects that resemble Skulls.
- March: CommWarrior.
A: propagates using BlueTooth by day, MMS by night-the latter are more likely to be opened because look as if they were intentionally sent by a friend or colleague. Meanwhile, Locknut. B causes Symbian to crash. It pretends to be a patch for Symbian Series 60 phones.
- April: Frontal.
A, a SIS file Trojan, installs a corrupted font file that causes the device to fail at the next reboot. Damage is serious.
- May: Skulls.
K replaces the system applications with non-functional versions, drops the Cabir. M worm into the phone, and disables some anti-virus applications.
- July: OneHop.
A disables most applications so that when one is opened, the device reboots. Both OneHop. A or a similar Trojan, Booton. A, were sent directly to F-Secure.
- August: Creative Technology reports it has accidentally shipped almost 4000 MP3 players with a Windows virus, as happened in Japan with the 5GB Zen Neeons players. Meanwhile, reports surface of Cabir virus spread at a sports event in Helsinki. And a new Trojan, Blankfont.
A, deletes the system font after a reboot.
- September: Cardblock.
A becomes the first Trojan known to attack MMC cards, locking the contents. Cardtrap. A. tries to infect PCs if the phone memory card is connected.