More than 400 mobile viruses have been documented to date, resulting in tens of thousands of infections worldwide. These numbers may pale in comparison with Win32, but Patrik Runald, Chief Security Advisor at F-Secure, believes they are a wake-up call. "At some point, the criminals now developing PC malware will start focusing on mobile devices," Runald said. "It's not a question of if, but when and how. I'm keeping a close eye on the iPhone -- it may be the tipping point that sets the mobile malware field afire."
That was then
Skeptics have long scoffed at the prospect of mobile malware. Why? The mobile market was too small to represent a worthwhile target. Mobile devices were too diverse and too limited to facilitate large-scale attacks. And mobile devices lacked the connectivity and infection vectors required to propagate malware rapidly, without depending on user interaction. To appreciate these impediments -- and how they're changing -- it's helpful to consider the history of mobile malware.
Palm Liberty was arguably the first, debuting back in August 2000. This trojan posed as a patch to register Nintendo Gameboy emulator shareware but actually deleted all applications from the infected Palm PDA. Liberty failed to spread in the wild because it targeted a very small number of naïve users and immediately rendered any victims inoperable. In fact, Liberty was so unsuccessful that most antivirus companies begin their mobile malware signature lists with Cabir.
Symbian Cabir (the predecessor of 15 variants) was released in June 2004. This worm infects Symbian Series 60 smartphones by sending itself over Bluetooth connections. It requires the victim to open a messaging Inbox file and click Yes when prompted by the installer. Cabir then tries to spread by searching for nearby Bluetooth devices in discoverable mode. Although Cabir infections have been reported in more than 20 countries, most antivirus companies consider it low risk. Why? Cabir targeted a very popular device but propagated far too slowly, infecting just one phone per reboot. For most victims, Cabir's only adverse impact was battery drain.
Sibling Mabir had somewhat better reach, propagating over MMS instead of Bluetooth. Mabir listens for incoming MMS or SMS messages sent to the victim's phone, sending a copy of itself in an MMS response. Mabir overcame Cabir's geographic limitations (i.e., Bluetooth's short range), but still depended on social engineering and explicit user acceptance for activation.
In early 2005, Commwarrior (the predecessor of seven variants) improved on these techniques by searching both for nearby Bluetooth devices and sending itself via MMS to phone numbers in the victim's local address book. Commwarrior also sends randomly named files to avoid immediate user recognition and tries to covers its tracks afterwards. As a result, even though it still required user acceptance to install, Commwarrior was far more successful in propagating. More importantly, it caused financial damage by racking up MMS transmission fees. One operator reported that malware was responsible for 5% of its MMS traffic.
A pair of Pocket PC malware programs emerged around the same time as Cabir. Duts is a small, innocuous virus that runs on an ARM-based WinCE PDA. The user must invoke Duts and accept a threatening prompt ("Dear user, am I allowed to spread?") before the virus can attempt to append itself to all .EXE files in the current directory. Brador is an ARM-based WinCE trojan that copies itself to the Pocket PC's Startup folder, emails the victim's IP address to the author, then listens for incoming remote control commands. However, neither proof-of-concept propagated itself to other mobiles, nor were they installed without active user participation. Mobile virus writers quickly returned their attentions to the OS with the biggest market share: Symbian.
This is now
According to F-Secure's Runald, approximately 98% of mobile malware programs identified to date are designed to run on Symbian. "Series 60 second edition is the primary target," Runald said. "The third edition pretty much kills off malware because of code signing."
Code signing makes it possible for software publishers to digitally sign their work, using credentials issued by a formal certification program like Symbian Signed, Microsoft's Mobile2Market, or RIM's Controlled APIs for BlackBerry. Mobile operating systems have also been upgraded to incorporate access controls that can prevent OS file tampering and sensitive function invocation by unauthorized applications.
Code signing is not a panacea, however. To prevent unsigned application installation, something still needs to check that signature. Often, this task still falls to end users, many of whom willingly accept unsigned software, downloaded from unfamiliar websites. As mobile trojans and worms grew beyond proof of concept, new malware stopped blatantly announcing itself as Cabir and Duts did. Instead, mobile malware has grown increasingly malicious and financially motivated:
- Symbian Skulls is a major family of trojans with 31 variants. Skulls overwrites all of the device's applications with non-functional versions -- except for those required to communicate. Skulls propagates by installing new, improved versions of Cabir. Later variants added Flexispy -- a spyware program called "phones" that locks itself to resist removal and records voice calls and SMS text, relaying that private information to an Internet server.
- Symbian Pbstealer is a trojan that builds upon Cabir's Bluetooth propagation mechanism. To trick users into installing it, Pbstealer poses as a shareware address book compaction utility. Instead, Pbstealer sends a copy of the victim's local address book to the first nearby Bluetooth device that it can find.
- In February 2006, the first J2ME trojan emerged as Redbrowser, a Java applet that masqueraded as a shareware WAP browser that could retrieve Web pages for free. Instead, Redbrowser sent SMS messages to premium numbers in Russia at a cost of $5 apiece.
- In December 2007, the Symbian Beselo worm started to spread itself via Bluetooth and MMS. Beselo is similar to Commwarrior, except that installation files are not identified by the usual .SIS extension. Instead, Beselo files are named with .MP3, .JPG, or .RM extensions, fooling users into opening these phony multimedia files, thereby installing Beselo.
- In February 2008, a new WinCE InfoJack trojan appeared, packed inside legitimate application installer packages like Google Maps, posing as an optional add-on. InfoJack disables Windows Mobile's installation security so that other unsigned applications can be installed without warning. It then sends the victim's serial number, operating system, and other information to a website in China.
- In March 2008, Symbian Series 60 second edition devices were targeted by MultipleDropper, a malicious program that arrives via Bluetooth or MMS, then installs Commwarrior, Beselo, and a new trojan, Kiazha. After sending an SMS to the malware's author, Kiazha attempts to extort $7 (RMB 50) as ransom, to be sent by the user through the Chinese IM network QQ.
Back to the future
These examples demonstrate both roadblocks that have impeded mobile malware to date and several ingredients necessary for mobile malware to flourish in the future.
Symbian in general, and the Symbian Series 60 second edition in particular, remain favorite targets because the target population is large and those older devices harbor exploitable vulnerabilities. Newer Symbian devices, including Series 60 third edition, cannot actually run many of these trojan and worm installers thanks to Symbian OS 9 Platform Security features like Capability Management and Data Caging.
As smartphones grow more sophisticated, however, they are likely to harbor new vulnerabilities that could be exploited by malware. Runald expects the iPhone to draw mobile malware because of its growing popularity and its relatively feature-rich operating system.
"Symbian was a mobile OS from the start," Runald explained. "The iPhone runs a cut-down computer OS. As mobile manufacturers bring out more of these sophisticated devices, they may have vulnerabilities that would let malware be installed without requiring user interaction." The latter is an important distinction, since mobile malware has so far relied on social engineering and user installation.
Runald also noted that there will be an element of prestige involved in hacking the iPhone. To illustrate, consider last summer's rush to "jailbreak" the iPhone -- that is, enabling third-party applications on otherwise operator-locked devices. While "jailbreaking" is NOT malware, unlocked devices will let users install shareware of unknown origin. This creates more opportunities (and thus a far more lucrative market) for malware writers. A similar "jailbreak hack" was recently developed for Symbian Series 60 third edition, which could open the door for a new generation of Symbian trojans.
Symbian has also been a favored target because it is an open platform, with published APIs and readily available SDKs. Clearly, it is important for operating system vendors to harden these open platforms against attack -- and it should be noted that all major mobile OS vendors are moving in that direction. Experience shows, however, that new interfaces are not always fully debugged on first release. Runald believes that early SDK security holes could play a role in future mobile malware -- not just for Symbian but for Windows Mobile, iPhone and (eventually) Android.
Finally, 3G, Wi-Fi, and mobile Web coverage are creating friendlier vectors for malware propagation. Bluetooth is inherently limited because worms need crowds to spread -- for example, the Cabir outbreak reported at a large athletic event in Helsinki in August 2005. Mobile messaging has wider reach, but per-message fees play a role in curbing massive outbreaks over MMS or SMS. On the other hand, Wi-Fi and 3G services can deliver near-continuous and "unlimited" high-speed Internet connectivity. Furthermore, handhelds like the iPhone with GUIs that encourage mobile Web surfing present more opportunities for Web-borne malware to be delivered as Java applets, and so on.
These factors, along with overall growth in smartphone business usage, suggest that mobile malware will eventually morph from background nuisance to noteworthy threat. When will that happen? Only time will tell. Is this your most pressing mobile threat today? No. But given the cost of malware cleanup and mobile workforce dependency on mobile devices, you may want to start thinking about how to protect yourself. In next month's tip, we take a look at past and present mobile malware defenses.
About the author:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in July 2008