"More and more people are beginning to use mobile devices for everyday things," Mobile Malware Researchers Association (MARA) member Jonathan Read said in an e-mail exchange Tuesday. "PDAs used to be very expensive and beyond the average person's reach. These days the prices have dropped dramatically along with huge advances in technology."
Read, a New Zealand-based CISSP and product manager of mobile security firm Airscanner Corp. in Dallas, believes it's only a matter of time before malware writers start targeting these platforms with more zeal. "I would say sooner rather than later," he said.
Experts say Crossover and RedBrowser use new tricks to spread, showing how the digital underground could theoretically launch widespread attacks that would simultaneously hit desktops and mobile devices.
"Two years ago we were saying that nerds were playing around, showing what they could do," said Joe Telafici, director of operations for AVERT Labs, part of Santa Clara, Calif.-based McAfee Inc. "The latest malcode shows them working on ways to make money by finding new attack vectors. [RedBrowser's] use of Java is an approach we haven't seen with other mobile phone worms. This is potentially something that can be tweaked to target a lot of mobile phones."
In the end, he said, the underground's goal is to have an attack that affects the most people through phones, desktops and other machines -- attacks where enough personal data can be stolen to make the bad guys a lot of money.
A tale of two Trojans
According to Read, MARA received a sample of Crossover from an anonymous source five days before the group went public with it. "We wanted to make certain that it was not a hoax," he said. In the end, the group determined Crossover worked as advertised. "At least four of us at MARA tested it on our own Pocket PCs."
After close inspection, the group concluded Crossover most resembles a Trojan. "A virus infects files, which this does not do. It creates its own files," Read said. "The way it crosses over could be seen by some as a worm-like feature but it does not spread any further like a worm."
A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.
"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis, which offers a step-by-step outline of how the Trojan operates.
Meanwhile, several AV firms have analyzed the RedBrowser Trojan and found that it's designed to infect not just smart phones, but any mobile phone capable of running Java applications.
"The Trojan spreads in the guise of a program called 'RedBrowser,' which allegedly enables the user to visit [Wireless Application Protocol] sites without using a WAP connection," Russian AV firm Kaspersky Lab said in an analysis e-mailed to SearchSecurity.com. "According to the Trojan's author, this is made possible by sending and receiving free [Short Message Service]. In actual fact, the Trojan only sends SMSes to premium rate numbers. The user is charged $5 to $6 per SMS."
Kaspersky said the Trojan is a Java application. The file may be called "redbrowser.jar" and is 54,482 bytes in size. The Trojan can be downloaded to a victim's handset either via the Internet, through Bluetooth or a personal computer. It targets subscribers of Beeline, MTS and Megafon, Russia's major mobile service providers, the firm said.
"The two pieces of malware won't be widespread," said Shane Coursen, senior technical consultant for Kaspersky Lab. "But proof of concept malware can be dangerous in a different way. It puts out the idea that this kind of malware is worth exploring. More mobile malware may be created as a result."
Prepare for what's ahead
While both Trojans are proof-of-concept samples that aren't spreading in the wild, experts say the characteristics are worrisome. Real attacks may be around the corner, and they said IT professionals need to start planning.
As it stands now, experts say enterprises are not ready to deal with the threat.
"Most organizations are at an early stage of awareness regarding mobile threats," Telafici said. "Everyone's walking into the office with cell phones and PDAs that may or may not be company-owned. [IT professionals] need to start thinking about what their policy is for those kinds of devices and explore the kinds of tools available to enforce those policies."
Read agreed: "IT professionals need to become aware of the security implications that mobile devices pose," he said. "In cases such as crossover malware, it is essential that the employees at an organization do not compromise the company's security by taking a device home and syncing it on a less secure computer."
A company may have the most stringent security on the planet, but if an employee takes a device home and his or her home PC is infected, the device will also become infected, Read said, adding, "It's time to realize that [mobile] devices need AV software and proper firewalls."