Issue No.04 - April (2005 vol.38)
Published by the IEEE Computer Society
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MC.2005.134
Security experts are finding an increasing number of viruses, worms, and Trojan horses that target cell phones. Experts say it is only a matter of time before this mobile malware causes extensive damage.
Security experts are finding a growing number of viruses, worms, and Trojan horses that target cellular phones. Although none of the new attacks has done extensive damage in the wild, it's only a matter of time before this occurs, noted Aaron Davidson, CEO of SimWorks International, a New Zealand-based antivirus company.
Security researchers' attack simulations have shown that before long, hackers could infect mobile phones with malicious software that deletes personal data or runs up a victim's phone bill by making toll calls. The attacks could also degrade or overload mobile networks, eventually causing them to crash. And they could be even more insidious in the future by stealing financial data, said Davidson.
Smart phones represent a particular risk. They offer Internet connectivity, function like minicomputers, and can download applications or files, some of which could carry malicious code.
Market research firm IDC predicts that by 2008, vendors will sell more than 130 million smart phones, representing 15 percent of all mobile phones. ARC Group, another market research firm, said 27 million smart phones were sold worldwide in 2004, accounting for about 3 percent of the total global handset market.
Mobile-device technology is still relatively new, and vendors have not developed mature security approaches, according to Matias Impivaara, director of mobile security services for antivirus-software vendor F-Secure. "The most worrying scenarios are not coming from stereotypical virus writers such as teenagers but from more organized [criminal groups]."
To counter the growing threat, antivirus companies have stepped up their research and development. In addition, vendors of phones and mobile operating systems are looking for ways to improve security.
Driving the mobile attack
Financial gain is perhaps the principal driving force behind mobile malicious code, said Joshua Wright, deputy director of training for the SANS Institute, a research and education organization that operates the Internet Storm Center early-warning system.
Viruses can let intruders access passwords or corporate data stored on a cell phone. Also, attackers can manipulate a victim's phone to make calls or send messages, a crime called theft of service.
Users are just beginning to make purchases and conduct financial transactions over mobile devices, particularly in Europe and Japan. Many industry observers expect such activity to increase dramatically during the next few years. Even now, some mobile-phone users store their credit card numbers and other financial information in electronic wallet software.
Cell phones are becoming targets largely because of their widespread use, providing millions of potential targets. They also have numerous vulnerabilities. For example, they generally don't come with antivirus software.
In addition, mobile devices are much more connected to the outside world than PCs. "Phones are primarily used to communicate. They are built to make communication as easy as possible," noted SimWorks' Davidson. "Phone users want to communicate, and viruses want to be communicated."
Some hackers may be discouraged from targeting wireless devices because, to reach a large number of victims, they would have to design separate sets of malicious code for each mobile operating system and each processor platform, said Vanja Svajcer, principal virus researcher for SophosLabs, a global network of virus and spam analysis centers overseen by antivirus company Sophos.
Cell phones use a variety of processor platforms, including those from ARM, Motorola, and Texas Instruments.
The three dominant mobile-device OSs are Symbian, Palm, and two Windows CE versions: Pocket PC Phone Edition and Smartphone Edition. According to Canalys, an industry-analysis research firm, Symbian's market-leading share rose to 53 percent in 2004 from 38 percent in 2003. Thus, Symbian phones have become malware writers' favorite target.
"If a generic language such as Java is used for creating the malicious code, it could affect devices that support Java," noted Impivaara.
New mobile malicious code
Because mobile malware is relatively new, virus writers have released it primarily as proof-of-concept code so far, according to Wright.
F-Secure found the first mobile virus—designed for Palm devices—in 2000. The company estimates hackers released about a dozen mobile viruses between 2001 and 2003. In 2004, security researchers discovered 21. And F-Secure already identified 10 in the first two months this year.
Several recent mobile viruses have been particularly noteworthy.
The well-known 29A Eastern European hacker group, which specializes in creating proof-of-concept viruses, sent the first version of the Cabir worm, known as Cabir.A, to a number of antivirus firms.
Cabir runs on smart phones from vendors such as Motorola, Nokia, Panasonic, and Sony Ericsson that support the Nokia-licensed Symbian Series 60 platform.
Cabir can be acquired via a shared infected application or it can replicate via Bluetooth, a short-range, radio-based, wireless connectivity technology. The worm arrives on victims' phones as an .SIS (Symbian installation system) application-installation file.
Target devices display a message asking users if they want to receive a message via Bluetooth and then ask for further confirmation if the application is not digitally signed by an authorized Symbian authority. If the user chooses to receive the file, it installs and then sends itself to other Bluetooth-enabled devices within the technology's 10-meter range.
After infecting a phone, Cabir.A displays the text "Caribe VZ/20a"and Cabir.B displays "Caribe" on the victim's screen. The worm also interferes with a host device's normal Bluetooth system by forcing it to constantly scan for other enabled devices. This reduces a device's battery life and either makes Bluetooth unavailable to legitimate applications or degrades Bluetooth performance, explained Davidson.
A few users of sites that distribute warez—software stripped of copy protection and placed on the Internet for downloading, generally illegally—have reported accessing Cabir-infected applications.
"We recently reported its arrival in Australia and in other countries including China, the Philippines, Singapore, and the United Arab Emirates," Davidson said.
Sophos advises users to protect themselves against Cabir and other Bluetooth-based threats by simply turning off the Bluetooth settings in their phones that let other devices recognize and contact them via the technology.
There have been several Cabir variants. Cabir.H, for example, attaches itself to applications' installation files on a phone. Victims who download and install the application can unknowingly infect their devices with Cabir.
Skulls is a Trojan horse and thus masquerades as a useful application to convince users to install it. Its authors wrote Skulls to appear to be an application that lets users preview, select, and remove design themes for their phone screens.
Hackers deliberately—and file sharers inadvertently—uploaded Skulls to several shareware sites, from which unsuspecting users have downloaded the application.
Skulls targets the Nokia 7610 phone, although some other Symbian Series 60 phones can also install it.
According to SophosLabs' Svajcer, Skulls makes the original Symbian binaries for everyday functions—such as file management, Bluetooth control, messaging, Web browsing, and application installation and removal—useless by replacing them with nonfunctional binaries. The phones can then only make and receive calls.
Because Skulls disables Symbian applications, only phones with third-party file managers can remove the Trojan. Those using Symbian's file manager must perform a hard reset, thereby erasing all stored data. Skulls also replaces each application icon with a skull and crossbones.
Each of several Skulls variants and hybrids has a slightly different effect. For example, Skulls.D—posted to several Web discussion forums and warez sites—pretends to be a Macromedia Flash player for Symbian Series 60 devices. The variant replaces system binaries related to application uninstall and Bluetooth control with nonfunctional binaries, installs the Cabir.M worm, and disables antivirus programs and third-party file managers.
Mquito is a version of the popular Mosquito game whose copy protection crackers have broken. Once the game is installed on a Symbian Series 60 device, it surreptitiously sends unauthorized SMS text messages to high-cost toll phone numbers in Germany, Holland, Switzerland, and the UK.
Reportedly, said Vincent Weafer, senior director of Symantec Security Response, game-maker Ojom deliberately added Mosquito's hidden SMS functionality as a copy-protection technique. He said that Ojom, which declined to comment for this article, wanted the program to send an SMS message alerting the company if someone was using an unlicensed copy.
"The Symbian OS provides the functionality required for any application to send and receive SMS messages with or without user intervention," said Symbian spokesperson Peter Bancroft.
Current versions of the game no longer have the hidden SMS functionality, but cracked versions with the capability are still available online for downloading.
Windows CE virus
The 29A hacker group has written the first proof-of-concept virus for Microsoft's mobile operating system.
Razcan Stoica, spokesperson for BitDefender, a Romanian security company, said the WinCE.Duts.A virus sends recipients a message asking for permission to download.
When granted permission, the virus tries to infect all executable files bigger than 4,096 bytes. During the infection process, the virus appends itself to a file. If a victim tries to run an infected file, the virus will function but the application won't. The virus then attempts to spread, looking for new files to infect.
"When files are exchanged between devices, the virus spreads along with them," said Stoica. "Being a proof-of-concept virus, it has no payload. However, it could be easily adapted."
Metal Gear is a Trojan camouflaged as a mobile version of the Metal Gear Solid video game. To get infected with the Trojan, users must open and install the fake Metal Gear game.
According to SimWorks' Davidson, designers often port PC games to mobile platforms, so Metal Gear fans might believe the Trojan actually is a mobile version of the game.
The Metal Gear Trojan disables antivirus programs and installs the Cabir.G worm, which tries to spread a second Trojan program, SEXXXY, to nearby phones via Bluetooth.
"Users will have difficulty repairing their phones because the Metal Gear Trojan effectively disables all tools on the phone necessary to undo the damage," said Davidson.
Lasco.A, a proof-of-concept program, uses Bluetooth to infect mobile phones running on the Symbian Series 60 platform. Lasco can create its own .SIS installer file, which lets the application load itself onto other Bluetooth-enabled devices within range. It can also insert itself into other .SIS files and thereby spread during file sharing. According to the SANS Institute's Wright, Lasco is the first mobile malware that can use both methods to infect devices, thereby increasing its ability to spread.
Once installed, Lasco changes a phone's file directory to include the appended file. It also sets up the .SIS file to tell the target phone's application manager to run Lasco during installation.
The file arrives in the phone's messaging inbox and asks, "Install Velasco?" If the user gives permission, the worm activates and looks for new devices to infect.
Gavno, a Trojan reported to SimWorks but not yet found in the wild, contains an application file that hackers have deliberately rendered invalid by, for example, removing critical data. When the Symbian OS tries to use it as the type of file it is supposed to be, problems arise that cause a series of cascading errors in Nokia 6600 and 6630 phones.
The errors cause the OS to become unstable, limiting infected phones to receiving calls. Gavno then makes the phone reboot, which produces similar errors.
One of two variants, Gavno.B, includes a Cabir version.
SimWorks' Davidson predicted that mobile malware will become more sophisticated as virus writers gain more experience and hackers publish the source code for various viruses, worms, and Trojans. The " Potential Future Attack Approaches" sidebar provides more information.
However, Wright said, device vendors and service providers will also increasingly provide better antivirus and other security applications for cell phones, as the " Response and Prevention" sidebar explains.
John Girard, vice president and research director of security for Gartner , a market research company, said, "Antispyware and antivirus functionality will help mobile users be more resistant, but like in the PC world, there will always be hackers who want to rise to the challenge. Mobile device users will have to learn to be more vigilant to ensure that their data and communications stay secure."
Neal Leavitt is president of Leavitt Communications, an international marketing communications company based in Fallbrook, California. He writes frequently on technology-related topics. Contact him at neal@leavcomictim downloads and installs the application, they can unknowingly infethemselvesces with Cabir.