Mobile malware – it’s only the start

By | April 27, 2006

The next couple of years will see mobile security rise higher and higher up the security agenda. Initially, mobile malware was specifically aimed at smartphones. Cabir, the first worm for mobile phones, was discovered in June 2004 and threats aimed at smartphones have continued to appear, with several of them based on the source code for Cabir. The threats we’ve seen so far include a virus, worms and several Trojans: in other words, the same types of threat that have plagued PCs during the last 20 years.

So far, most of the threats we have witnessed are fairly basic. Cabir and Lasco, for example, rely on Bluetooth. This limits their ability to propagate, since they can only spread if there is another mobile phone, with Bluetooth enabled, within range.

The mobile threats we’ve seen so far also require user interaction: typically, the user must first agree to receive the file being sent to the phone from another infected device and then agree to run the infected program. It’s clear that the same social engineering techniques used to spread malware via PCs will be used to trick unsuspecting mobile users into running infected code. The Comwar worm uses a variety of enticing subject headers and message texts to fool victims into running the code.

The effects of mobile threats vary. The presence of a worm in a mobile phone’s memory, or the constant scanning for other Bluetooth devices, can make the phone unusable while the worm remains installed. The Skuller Trojan, distributed via download from a variety of mobile sites, deliberately replaces system icons with a skull icon and the service to which it is linked becomes unavailable. The Mosquit Trojan sends SMS messages, without the user’s knowledge, to premium rate numbers coded within the Trojan.

It’s early days but we’ve already seen some interesting developments with mobile malware. Lasco is a combination virus and worm. It infects individual files on the device as well as spreading from device to device. In addition, two versions exist: one infects SIS archive files on Windows 32 platforms and the other infects devices running Symbian OS. That malware authors have so far targeted devices running the Symbian OS is, of course, significant, since Symbian owns around 80 percent of the smartphone market.

In February 2006, Kaspersky Lab detected the RedBrowser Trojan, the first malicious program to infect not only smartphones, but any mobile phone capable of running Java (J2ME) applications. The Trojan spreads in the guise of a program called RedBrowser, which allegedly enables the user to visit WAP sites without using a WAP connection. According to the Trojan´s author, this is made possible by sending and receiving free SMSs. In reality, the Trojan sends SMSs to premium rate numbers, with the mobile user picking up a hefty bill.

So how soon will it be before the ‘proof-of-concept’ trickle turns into a flood? It’s difficult to be sure. There are two issues to consider. First, experience has shown that malware authors target systems that are commonly used. Ownership of smartphones hasn’t yet reached ‘critical mass’, but when it does, they will prove an irresistible target.

Second, it’s clear from developments during the last three years that the computer underground has realised the potential for making money from malicious code in a world where Internet connectivity has become central to business. Today’s threats are largely geared towards making money illegally: through fraud, unwanted advertising (including spam) and extortion. Since smartphones offer users the same capabilities as PCs, they also offer the same ‘rewards’ for the criminal underground.

Leave a Reply