Dial M for malware

Not so long ago our parents were telling us not to sit too close to the television set. Today, kids are watching music videos on their cell phones, with their eyes two inches away from the screen. When we were kids, we sent notes to each other in class and risked being thrown out of the lesson if caught. Today, children send each other SMS messages and no one's the wiser.

Many of us are concerned about our health and our privacy, yet we carry around devices that expose us to radiation (some say harmful, some say mundane) and which allow third parties to triangulate our position in the world and listen remotely to everything we say – yes, even if the phone is turned off.

Only a few years ago, mobile phones were just what their name implied – phones that could be carried around and which could receive calls anywhere, even while the user was away from home (they also looked like and weighed as much as miniature freezers, but that's beside the point).

Today, many of these devices incorporate a stills camera, a camcorder and a satellite navigation system, and can run games and other utilities – one application can even handle phone calls [1]! Many of today's mobile phones use a complex operating system capable of accomplishing various tasks; in fact, some mobile devices are primarily PDAs (Personal Digital Assistants). The ability to handle phone calls is merely a secondary feature.

The Symbian operating system is to mobile phones what Windows is to PCs. It is one of the most common operating systems for these platforms and as such it enjoys a wide variety of commercial and free open-source applications that are developed daily. This popularity, however, does not come without its share of problems, namely viruses. Since a virus writer's goal is to infect as many targets as possible, the Symbian OS is the most obvious mobile platform for virus development.

While the current number of viruses developed for this platform is far from staggering – a little over 220 in all (compared to tens of thousands of viruses targeting PCs), one must bear in mind that the technology is still young and the more advanced mobile phones are still quite expensive. However, experts predict that the coming years will see a substantial increase in mobile phone sales. According to Gartner, during the first quarter of 2006 an astounding total of 224 million units were sold around the world, an increase of 23.8% from the same period last year. Based on their predictions, close to a billion units will be sold by the end of this year!

At the present time there is little innovation among the threats targeting mobile phones. Of the 220-odd viruses out there, only a few are completely original. The rest simply keep reusing and recompiling the same code over and over again.

The first viruses of this kind used Bluetooth as their main method of propagation. While the technology offered a quick and a relatively anonymous way of transmitting viruses to others, it relied on these users being moderately close to one another – usually up to 10 metres (providing there were no obstacles along the way).

While Bluetooth is still used sporadically by malware, today most threats are downloaded directly from the Internet or sent manually by malicious users. A few threats use MMS (Multimedia Messaging Service), which is similar to email in that it allows users to send out all types of files, not just plain text. In fact, viruses that are capable of sending themselves via MMS enjoy the same advantages as those that spread by email, which means they have the ability to send many copies of themselves to other users, thus propagating constantly. Add to this the fact that most people using MMS-capable devices do not have any anti-virus protection and you have a potential epidemic.

Mobile phones, however, are not completely exposed as they are devices that use one of a handful of available solutions. These are similar to desktop-based anti-virus programs. Provided that users keep updating the software's database with the latest mobile phone virus signatures, they will be safe. However, this solution could be problematic for some users.

For one, such applications take up valuable memory. Even PC-based anti-virus solutions can prove cumbersome for some desktop computers. On a mobile phone, where memory is quite limited to begin with, this issue is more obvious. In addition, while many PCs can stay online virtually indefinitely and receive all the updates they require as soon as they are available, mobile devices cannot; maintaining an Internet connection can be expensive. Even if that is not a problem, the level of radiation generated by these devices over long periods of operation may be troubling to some. This makes updating the installed anti-virus solution regularly a chore – and a costly one at that. Users are likely to remain unprotected from new threats for quite a while before a solution is applied.

When dealing with viruses one has to be protected around the clock; in many cases an MMS virus is likely to reach users faster than its remedy simply because it is independent of any user interaction. But why stop there? Any mobile phone capable of connecting to the Internet is exposed to numerous risks other than viruses – such as phishing attacks, spam and even spyware [2].

Will the current generation of mobile phone anti-virus solutions be able to protect users from all of these threats? Highly unlikely.

As mentioned above, despite the fact that there are quite a few types of Symbian malware out there, they can be separated roughly into around five or six families, each using very similar source code (in terms of structure and functions). When a current generation of mobile malware is installed on a victim's mobile device, it starts sending copies of itself to all the contacts it can find. It may also send private information found on the system. Of course, another unwanted effect of the virus is that the user's monthly bill from the cellular service provider may be quite substantial as well.

A good example of more generic, but potentially damaging mobile malware is Comwarrior. This virus targets Symbian OS-based mobile devices and demonstrates all of the above behaviours. It also distributes itself via MMS. In addition, it has Bluetooth spreading capabilities which it uses to infect devices located nearby. It is usually quite a common practice to include two or more types of virus in the same SIS package [3]. Upon execution, one of the dropped viruses will be responsible for distribution via Bluetooth, another via MMS, while the third executes a damaging payload, etc.

There are several proofs of concept that are able to distribute themselves across different platforms. The well-known Crossover virus is able to replicate itself between the Pocket PC and the Windows operating system, for example. Although malware like this has not been met in the wild yet, the door has been opened and it can only be a matter of time before real malware of this kind, not just a 'lab-virus', is released to the world. While the previous example may not specifically affect mobile phones using the Symbian OS, a cross-platform virus is feasible for these devices as well.

It all comes down to a popularity contest of sorts. As soon as mobile phones become more common (one billion units a year sounds about right) they will draw the attention of more and more malicious code writers looking for a challenge - or worse, profit.

The full potential of malware targeting mobile devices has not yet been realized – we probably have not even seen the tip of the iceberg. The next threat could create the following scenario: Ed, an employee at a high-tech company receives an MMS with an attached SIS package while on the way home from work. The text message claims that the file is a critical system update, a freeware game, or anything else that could coax a user to run the application. He can't reject the opportunity to install some free software or a critical update on his system – especially in an age where many users are not aware of such threats (that receive nearly no media attention at all).

Once the program has been installed, Ed sees no difference in the device's behaviour. Meanwhile, however, personal data such as his contact list, organizer records etc. is being collected. This could also include photos taken with the device's camera when Ed, his wife and their kids were on vacation, or work-related documents and SMS messages.

Current generation Symbian threats can already perform some of these actions, so let's take it a step further: when Ed finally gets home, he says 'hi' to the family and then connects to his office PC, since he forgot to answer a few emails. He places his mobile phone on its cradle to synchronize messages with his PC's email applications. This is where things get interesting; the virus detects the connection to Ed's PC and carries out the rest of its payload. It drops several files onto the PC without Ed's knowledge and executes them in the background. Ed's computer can now be infected by spyware, a backdoor trojan or some other malicious program that may eventually find its way to his PC at work.

Although this is a fictional scenario it is not far-fetched and could actually happen, at least theoretically. Only time will tell. Right now mobile phones are becoming more and more advanced. We are not too far from the day where mobile threats will be as sophisticated as their PC counterparts.

Surprisingly enough, one does not have to look far to find a solution that would protect users against this kind of threat: a suitable solution is already used by ISPs to protect PC users.

Since desktop anti-virus solutions do not provide complete protection against online threats, many corporate networks employ a firewall to block illegal intrusion attempts. Many also install gateway content security solutions that are capable of scanning traffic as it is downloaded, thus complementing both the firewall and the desktop anti-virus and providing a much better chance of avoiding malware altogether.

The first two solutions can usually be installed by experienced users or technicians and both can easily be downloaded from the Internet, sometimes free of charge (albeit with reduced functionality – which should still be enough for many users). However, gateway content security requires a lot of resources. It requires certain specialised equipment, an expensive application and – most importantly – constant supervision by an experienced system administrator. For the average user this is not a reasonable solution.

A desktop-based anti-virus solution is usually the most common, affordable solution. However, the human is the weak link in the chain here as few users actually bother to update their software regularly. Many users would like to know that their systems are protected without the hassle involved with micro-managing the program.

A growing trend among Internet Service Providers (ISPs) helps such users protect themselves better by eliminating the need for constant human interaction. These ISPs provide users with their own gateway-like filtering system that requires no maintenance on the user's part.

Simply put, the system scans content as it is downloaded by the user. Malicious content is blocked before it can cause any harm and the user is informed about the situation by a message displayed in the Internet browser's window. For a small monthly fee users can be certain that they are protected against all Internet-borne threats without being bothered by daily updates, obscure threat alerts and various software issues. Desktop anti-virus solutions can then be used solely for the purpose of scanning CDs, flash drives and other portable media which cannot be scanned by the ISP's gateway filtering. From the user's point of view, this is a simple, yet highly effective solution.

Why not do the same for mobile phones then?

This realization has spurred a new trend among mobile phone service providers – gateway content security for their customers. In a similar manner to the solution described above, the gateway's content security takes place between the Internet and the service provider's network.

While this system complements the device-based solution, the provider's solution offers much more than simply blocking viruses. In fact, why not block phishing, spam, PC malware and spyware altogether? While the latter two threats do not (yet) pose a direct threat to the mobile device itself, they may be transferred to a PC at a later stage and cause much havoc.

Computer history is filled with naysayers, be they those who say that 'there is a world-market for maybe five computers' (Thomas Watson, Chairman of IBM, 1943) or the few individuals who proclaimed there was no way viruses could propagate by email (usually computer virus experts responding to users' fears over the Good Times hoax [4] around 1994).

It is easy to dismiss mobile viruses for so many reasons; the relatively low propagation of the threats and their simplicity from a technical standpoint, the low availability of high-end devices and the seemingly minimal damage current-generation mobile viruses can inflict upon unprotected users. The truth is that similar things were said about computers and computer viruses. There is no such thing as overkill when dealing with malicious content and the old cliché of 'better to be safe than sorry' is always applicable in this case.

When updated regularly, device-based anti-virus solutions provide excellent protection against the few known threats that are currently in the wild (in active propagation). But for all other threats, from those that started circulating before you had a chance to get that latest update to those threats that target your PC, a gateway solution at the service provider's end is, in many cases, as essential as the service itself.

[Symbian threats will be discussed in detail at this year's Virus Bulletin conference (VB2006): Dr Vesselin Bontchev will look at the problems associated with Symbian malware classification, and Robert X Wang will take 'a deep look into Symbian threats'. VB2006 takes place 11–13 October 2006 in Montréal, Canada. The full conference programme, including abstracts for all papers, and online registration can be found at http://www.virusbtn.com/conference/.]