Mobile platform viruses always cause a media stir - for some journalists they represent the new frontier of malware with the potential to cause the same havoc as PC viruses while others see them as a hyped threat with no substance in reality.
At the time of writing, there are a total of 319 known mobile malware - a near ten fold increase on figures from 2004. The clear majority of these target the Symbian platform for the sole reason that Symbian phones represent the biggest target in smartphone manufacture. As Microsoft's Windows mobile platform grows, it too, will undoubtedly gain the increasing attention of malware authors.
Despite the dramatic increase in mobile malware in two years, the threat level is still considered low by experts and indeed, average mobile phone users. Smart phones and PDAs are the principle target and their percentage in the general population is relatively small. As tools in the corporate workplace, however, they are increasingly commonplace and the damage caused by malware to them is potentially much more impactful. For this reason alone, it makes sense for operators to invest in data security services that guards against the threat of mobile malware.
Authors and copycats
Symbian malware authors can be divided into two groups; those that create a virus that is at least in part unique and thus gets a new family name, and the copycats who modify existing malware to create new variants. Copycats are more numerous than creators and the availability of source code creates a window of opportunity for them to build on the original creations. The greatest number of mobile malware in the wild are variants while the addition of new mobile virus families has been until now, a slow growing phenomenon.
To illustrate the point on variants, there was a recent new addition to the Commwarrior family, Commwarrior Q. in August. This new variant of the now infamous mobile virus has all the same functionalities as Commwarrior.C and more. Like Commwarrior.C, the Q variant spreads via Bluetooth and MMS messages and infects any memory card inserted into the infected device. Commwarrior.Q is also the first Symbian malware that uses a random SIS installation file size when it replicates, which makes it difficult to filter from MMS traffic. When Commwarrior.Q is installed, it will display an HTML page to the phone's default browser after a random delay.
The original Commwarrior virus is the recognized creation of a Russian virus author going by the name Eldod0r. While his motivation was to create malware that is as difficult to detect as possible, F-Secure Mobile Anti-Virus detects all known variants of his creation. Another notable Symbian malware author goes by the name ValleZ the author of Cabir.A and Cabir.B, which were the first real cases of Symbian malware. Unlike the two authors mentioned here, most mobile malware authors prefer anonymity. While this is probably a wise policy for any criminal, the fact is that known or otherwise, most will be able to operate outside the law in their country with little fear of the authorities.
Knowledge is power
Thus far, every other mobile virus appears to be demonstrating that mobile malware is technically possible rather than actively and seriously pursuing criminal gain. In addition, the methods by which mobile malware spread themselves still require many considered steps from the user before they are installed in a phone, even in the absence of mobile antivirus software. A user, for example targeted by a Bluetooth-transmitted mobile malware also has the possibility of simply walking out of range of the offending device. If therefore, the user is aware that s/he is being targeted, knowledge by itself is the first defence against getting infected.
Should your phone become infected, the most typical damage is loss of personal data, limitations on the functionality of the phone to a complete collapse of the operating system and the need for a reflashing of the phone's software. Such damage is better termed as malicious rather than profit oriented, although the loss of a vital business tool is sometimes as expensive to its user as the loss of a wallet.
Only one virus, Redbrowser, the J2ME based Java Midlet that sends SMS messages to a specific number can be seen to be directly motivated by profit. The mechanism by which it does this is nevertheless social engineering and since the message it carries is in Russian, its spread is limited to Russian-speaking countries.
New tricks
In recent time, malware authors have shown a new trick, an SMS spying tool that runs on Symbian Series 60 Second Edition devices called Acallno.A. When Acallno.A is installed on the device it will forward all incoming and outgoing SMS messages to an external number that is specified within the software's configuration file. Acallno.A thus makes it possible for the individual that installs it to monitor all SMS traffic that the victim sends or receives on the target phone.
When active on the device, Acallno.A hides its process so that it is not visible in the Symbian process list. Acallno.A is limited by the unique IMEI code of the target device, so that a purchased copy of Acallno.A can only be installed to one specific device and the individual who installs the spyware needs to know the IMEI code of the device beforehand.
Senior antivirus researcher Jarno Niemelä points out that despite its capability to spy on a user, this piece of malware can better be considered a technical curiosity rather than a real threat.
What Forrester has to say
Assessing the problems of mobile malware objectively, the research organization, Forrester stated in its report, 'Mobile Device Security 2006' that addressing mobile security will require more than just technology. This mean creating clear, consistent, and enforceable mobile security policies within corporations and organizations and selecting mobile management and security tools based on risks, not hype. The organisation saw that the first generation of mobile malware have effectively established a beachhead for the next generation of attackers.
Forrester believes that attacks will focus in three areas:
1) disrupting local mobile phone networks using worms;
2) generating revenues by hijacking phones to send unauthorized SMS messages; and
3) stealing information from PDAs.
In future, it seems that the increasing adoption of the mobile platform as a means to transmit business critical information will undoubtedly tempt mobile malware authors to get serious and make money with their creations. To this end, it seems prudent to create applications that forestall this event and for organizations like F-Secure is to assist the international authorities by forwarding any useful information to them about virus writers and prevent their growth and proliferation.
Speaking about the present mobile malware situation, Antti Vihavainen, Vice President of Mobile Security at F-Secure said: "The malware situation on the mobile front is far from its equivalent on the PC side. We at F-Secure are nevertheless committed to fighting malware on all platforms and it is a welcome sign from the industry that several mobile operators and companies have already started to prepare for this eventuality in good time."
Author: Mark Woods
Begin | 
Back
