Today, cellphone viruses are not regarded as a big deal. But if you think your phone will always be safe… think again. You might be carrying a virus around in your pocket.
A professor made the comment, during one of his lectures, that technology has changed to such an extent that a couple of years ago we would buy a cellphone with added features as a bonus. Today, we buy the features with the phone capabilities being the added-extra. Today’s cellphones are effectively mobile computers that can be used to communicate. Cellphones are becoming a popular avenue for attack because of widespread use and because they are more connected to the outside world than computers (PCs). Cellphone users want to communicate while viruses want to be communicated.
This is a two-part article which provides an overview of mobile viruses. The article aims to create awareness and highlights some potential implications. Part One discusses a couple of misconceptions and outlines the possible avenues of attack. Part Two focuses on the risks you might be exposed to daily and recommends possible tips to mitigate the risks. (To read the second part of this article please visit www.accountancysa.org.za)
The purpose of these articles is to make you aware of mobile viruses in general. It is neither meant to be a technical explanation, nor a comprehensive list of technologies, threats and solutions. If it sparks your interest or if you want to know more, run a Google search or visit your handset provider’s website.
This article uses the word ‘virus’ as a general term for ‘malicious software’ (better known as ‘Malware’). Malicious software encompasses various techniques used by hackers, also known as ‘Phreakers’, to obtain unauthorised access to a cellphone and its data. These include worms, Trojan horses, and viruses.
Why the fuss?
The number of mobile viruses increased to approximately 450 different types of malware during the first quarter of 2008 (Lawton 2008). This growth paralleled the growth pattern showed by computer viruses after the first PC virus was released in 1986 (Shih, Lin, Chiang & Shih 2008). This relative slow growth is in part due to the fact that there have been far fewer smart cellphones than PCs, making desktops much more attractive targets. This has changed, with the number of cellphone users globally multiplying to an estimated two billion cellphone users worldwide, thus increasing the attractiveness of cellphones as targets.
Although there is a real danger, few viruses have spread successfully because infecting a phone is not easy. There is a lack of programmers with sufficient knowledge of the operating systems driving cellphones to write effective malware. Many users still use cellphones with limited capabilities. Because most cellphones lack technical sophistication hackers have fewer ways to deliver attacks.
The biggest barrier is that malicious software can currently only install if a phone user allows it. However, with the launch of new smart cellphones, such as the Apple i-Phone and Sumsung Omnia, this is expected to change. With smart cellphones becoming less expensive, more people are using devices that feature sophisticated operating systems, offer internet access and web browsers; provide e-mail, instant-messaging and multimedia messaging capabilities, and contain flash memory card readers, synchronisation facilities and short-range Bluetooth. In many cases these devices run dual platform applications such as Facebook which can be operated via a PC and a mobile WAP browser. These features provide new entry points for attacks.
The risks increase because the users of cellphones have increasingly more access to valuable data. This is compounded by the fact that companies do not always provide the same level of protection for their employees’ mobile devices as is provided for their PCs.
Even the historic barrier of not understanding the underlying operating systems driving cellphones is no longer a problem, because if generic languages such as Java are used to create malicious code, it could affect any device that supports Java, including cellphones.
Tiny invaders: Mobile viruses
Ever since ‘Timotonica’ grabbed headlines, as the first cellphone virus, warnings of cellphone viruses have emerged. Interestingly, this first cellphone virus was not a cellphone virus but rather a PC-based virus that sent text messages to cellphones as a side effect. The first truly cellphone virus was ‘Cabir’, reported in 2004. Since then, the number of mobile viruses has multiplied to the stage where it could pose one of the newest significant threats to private and corporate security. Table 1 lists a couple of the most well-known mobile viruses and describes its implication, see table 1 opposite.
Myths about cellphone Viruses
Cellphone viruses are real. Their impact is real. As with the first computer viruses, most cellphone users do not believe that cellphone viruses pose a significant threat. Several myths exist.
Myth 1. “I did not run the executable file on my phone, so my phone is safe.”
Myth 2. “The computer viruses did not infect the phone, so my phone is safe.”
Myth 3. “I use antivirus software, so the e-mail on my phone is safe.”
Myth 4. “I use a firewall, so the e-mail on my phone is safe.”
Myth 5. “I do not use a smartphone, so my mobile phone is safe.”
Myth 6. “I only browse web pages. I do not download files. So my mobile phone is safe.”
Myth 7. “I only play games on my phone, so my phone is safe.”
(Shih, Lin, Chiang & Shih 2008)
How do they get in? Avenues of attack
Although understanding the myths about cellphone viruses can clear up misunderstandings, users must become familiar with the ways viruses can infect a cellphone and potentially a computer system.
Understanding the avenues of attack is the first step to protecting yourself. There are many features of modern cellphones that provide entry points to attackers.
• Messaging: Malicious software can spread via text (i.e. SMS) and multimedia (i.e. MMS) messages by either (i) arriving with an attachment in the message that is opened or (ii) containing a link to virus hosting sites that download the virus. This also includes e-mails and instant messaging.
• Browsers: With the growth of GPRS, EDGE and 3G with a flat data cost, more users are surfing the web using mobile technology. A user can download a game, wallpaper or application that contains a virus. An example is Warez software stripped from copy protection and placed on the Internet to be downloaded. Users can use software without the limitation and scrutiny for viruses that service providers have imposed in the past. This content could contain malware.
• Wireless capabilities: Hackers have written some types of worms, such as Cabir, that use the phones’ wireless capabilities. These worms spread to phones using the Bluetooth or Wi-Fi functionality, which remains active, searching another nearby active device to which the device can be loaded. This attack succeeds in most cases, due to incorrect configuration of the facility or facilities not being deactivated. This also allows for a crossover attack from a PC, using the wireless facilities.
• USB devices and other removable devices and memory cards: Viruses can be passed between cellphones and computers when files are copied or phones we synchronised. This can also occur when a cellphone is used as a modem. Any PC virus that can attach a memory device can use a cellphone with memory storage capabilities as a carrier of a virus.
• Open platforms: This is a future threat caused by the fact that companies such as Google have promised to create open cellphone platforms for which customers can use any handset and for which anyone can write applications (Lawton 2008). This would render the phone more vulnerable to attack as these applications would neither be scrutinised, nor pass through the same controls by service providers as traditional proprietary applications.
Currently, messaging, wireless technology and browsing pose the greatest threat and the most viable routes of attack.
Although many of us currently do not regard mobile viruses as a serious problem it will not be long before the proliferation of malicious software could make protection a must have. Alternatively, avoid complex features and stick to a simple cellphone.
Lawton, G. 2008. Is it finally time to worry about mobile malware? Computer. May 2008. pp. 12-14.
Leavitt, N. 2005. Mobile phones: The next frontier for hackers? Computer. April 2005. pp. 20-23.
Lemos, R. 2006. A Moving target. PC Magazine. June 2006. p. 124.
Meserve, J. 2005. Is your cell phone at risk? Networkworld. April 2005. pp. 48-50.
Shih, D., Lin, B., Chiang, H. & Shih, M. 2008. Security aspects of mobile phone viruses: a critical survey. Industrial Management & Data Systems. Vol 108(4): 478-494.
Riaan Rudman CA(SA), BBusSc (Hons), PGDA, MBusSc (Finance), MAcc (Computer auditing) (Cum Laude), is a Senior lecturer at Stellenbosch University and Elza Johnson, BAccLLB (Cum Laude), BAcc (Hons), is an Auditor at PriceWaterhouseCoopers.
Table 1: Most well-known mobile viruses
Timofonica spreads among PCs and sends text messages to cell phones as a side-effect.
Cabir.A (other variations exist)
Cabir.A spreads via Bluetooth as an ‘install file’. The user is then asked whether he or she wants to accept the message and install the file. The virus then constantly searches for nearby Bluetooth devices to spread. This results in the battery running down or restricting the Bluetooth functionality, degrading performance.
This Trojan horse sends text messages to a premium rate service. The victim then pays for services not used and these payments are deposited into the attacker’s account.
This application is sold by a legitimate company to parents who want to monitor their children’s and companies that want to monitor their employees’ phone history.
Skull masquerades as a useful application on a shareware site which claims it can be used to customise a phone’s themes, walls et cetera to entice the user to install it. It disables the phone by making everyday applications, such as file managers, Bluetooth control and web browsers, unusable by changing the binary coding of the applications. It also replaces all application icons with skulls and crossbones. The phone will only be able to make and receive calls.
iPhone firmware 1.1.3 prep
iPhone firmware 1.1.3 prep identifies itself as an important firmware upgrade. It creates connections with other applications such as Erica’s Utilities, a collection of command line utilities and Open Secure Shell, a suite of tools that encrypts and secures the network. The Trojan horse changes the iPhone’s add/remove utility which results in other applications being deleted when the Trojan is deleted.
This Trojan forwards copies of the victim’s multimedia messages to the hacker’s cellphone. It also shows a message, stating that the victim’s cellphone is infected and could be fixed if the victim sends funds to the hacker’s account.
The virus installs itself when a user tries to download a legitimate application as an extra install file. The Trojan then connects to the Internet and downloads the remaining part of the Trojan from the hacker’s web server. It gives the hacker access to phone data, parameters and functionalities. It also gives the hacker the ability to change settings, install other applications et cetera.
This is an executable file that disguises itself as an image file extension. Once the file is opened, it sends the virus to all contacts the in the victim’s phonebook or over active Bluetooth or Wi-Fi functionalities. Apart from increasing the phonebill, no malicious content has been reported.
This is aTrojan horse camouflaged as a mobile version of the Metal Gear Solid game. Once downloaded and installed, it disables the virus scanner and installs the Cabir.G worm, which tries to spread another Trojan horse, SEXXXY, using Bluetooth functionalities.
This Trojan contains an application file that hackers have deliberately rendered invalid. When the phone attempts to run the application, it causes a cascading error. The operating system becomes unstable and limits the functionality of the phone to receive calls. Gavno then reboots the phone and reports the same error.
Comm Warrior.A is spread using a phone’s messaging facilities. The virus scans the victim’s phone book and forwards the virus to all numbers on the phone.