Is It Finally Time to Worry about Mobile Malware?George Lawton

Experts have talked about the dangers of mobile mal-ware since the first Palm Pilot Trojan horse, called Liberty, was reported in

2000, and the first mobile-phone virus, Cabir, was reported in 2004. However, each year, mobile viruses and similar threats have turned out to be a minor concern.

In part, this is because there have been far fewer smart mobile devices than PCs, making desktops much more attractive targets. In addition, mobile devices’ lack of technical sophistication has provided hackers with fewer ways to attack them.

Recent developments, though, have made industry observers pay more attention to mobile malware.

As smart phones get less expensive, more people are using the devices, which run sophisticated operat-ing systems; offer Internet access and Web browsers; provide e-mail, instant-messaging, and multime-dia-messaging capabilities; and con-tain flash-memory-card readers and short-range Bluetooth radios. These features provide entryways for hack-ers to install malware or for users to run it inadvertently on a device.

In addition, businesses are increas-ingly using wireless devices for important tasks, meaning they con-tain more valuable data that hackers might want to access via malware. Hackers could also use the devices to log into back-end corporate data systems with the owners’ authoriza-tion credentials.

Security experts are also con-

cerned about the increasing number of open mobile platforms planned by service providers. Customers could use the software and device of their choice on these networks without the limitations and scrutiny that provid-ers have imposed in the past. Secu-rity experts fear the openness would make the platforms more vulnerable to hackers and malware.

Researchers are working on ways to combat mobile threats because in a few years, smart phones might represent the majority of the world’s computers. And many of the users won’t realize the need for computer-level security.

In a November 2006 Web poll of corporate IT administrators by secu-rity vendor Sophos, 81 percent of respondents expressed concern that malware and spyware that target mobile devices will become a signifi-cant threat. However, 64 percent said they have nothing in place to secure their smart phones and PDAs.

DRIVING FORCESIn addition to Liberty and Cabir,

other prominent mobile malware has included 2004’s Skulls Trojan, 2005’s Commwarrior worm, and 2006’s RedBrowser Trojan.

In general, mobile malware has caused harm by disabling phones or increasing victims’ phone bills by automatically sending expensive text or multimedia messages or making long-distance calls. In response, secu-rity vendors such as F-Secure, Kasper-sky Lab, McAfee, and Symantec have released mobile antivirus, firewall, and encryption products.

As of March 2008, F-Secure had counted 401 different types of mobile malware in the wild, and McAfee had counted 457, as Figure 1 shows. These are far fewer than the 640,000 malware threats to Windows-based PCs that F-Secure identified as of March 2008.

The number of different types of mobile malware has not increased significantly recently because Symbian, which has 70 percent of the mobile operating system mar-ket, improved security in its most recent OS version via more robust application signing, said Patrick Runald, F-Secure’s security response manager.

In application signing, an OS sup-plier vouches for a program’s secu-rity and submits it to a recognized trusted authority. After examining and approving the application, the authority wraps it in a cryptographic package signed with the OS suppli-er’s private key.

When users of a device that runs the supplier’s operating system want to download the application, the supplier sends them a public key that works with the private key. If the public key opens the application, the user can consider the program safe to run.

puShING ThE pROBLEMSeveral factors are making mobile

malware a greater threat. For exam-ple, companies don’t always provide the same level of protection for their employees’ mobile devices that they do for PCs, noted Philippe Winthrop, wireless and mobility research direc-tor at the Aberdeen Group, a market research firm.

Winthrop said a November 2007 survey of corporate IT personnel

I N D U S T R Y T R E N D S

12 Computer Published by the IEEE Computer Society

May 2008 13

found that only 25 percent of com-panies used antivirus software for mobile devices. He stated, “This is a huge issue. It is naive to believe that mobile devices are impervious to mal-ware. I would not be surprised to see a big announcement of a mobile secu-rity breach by the end of this year.”

More popularity and capabilities

Smart phones’ growing popularity has made mobile devices a more attrac-tive target for hackers. Worldwide, Canalys estimates that the number of smart phones grew from 9 million in 2003 to 115 million in 2007.

There are many more phones with-out all the features of smart phones but that still have browsers, which makes them vulnerable to malware, noted Jan Volzke, global marketing head at McAfee’s Mobile Security Unit.

Bluetooth. Hackers have written some types of mobile worms, such as Cabir, to take advantage of many phones’ Bluetooth capabilities. These worms spread to phones in which the Bluetooth function is activated and that are within the technology’s transmission range of 10 meters.

In these attacks, F-Secure’s Runald noted, the potential victims get con-tinuous messages about download-ing a file from another Bluetooth-enabled device, even if they click “no” in response each time. Some accept the file just to stop the mes-sages, unaware that they are down-loading malware, he said.

Volzke noted that Bluetooth-hack-ing software is one of the Internet’s five best-selling types of malware toolkits.

Wi-Fi. Some service providers use malware firewalls to screen content coming over their cellular networks for mobile viruses, Runald said. However, he added, content coming to phones over Wi-Fi systems runs over Wi-Fi networks and thereby avoids providers’ checks.

Messaging. Text and media messages can come with links to virus-hosting sites. Once installed, malware could make compromised

phones send messages to phone num-bers in contact lists, fooling future recipients into believing the informa-tion is safe because it was sent by a trusted friend.

Open platformsCompanies such as Google and

Verizon Wireless have promised to create open mobile-phone platforms on which customers can use any handset they want and for which anyone can write applications.

The systems would be more vulner-able to malware because they would allow applications and devices that have not had the same scrutiny and control by service providers as in the past, noted David Wood, Symbian’s executive vice president of research.

RECENT aTTaCkSTypically, hackers use social-engi-

neering exploits—in which they trick victims into installing applica-tions—to spread mobile malware.

Malware such as RedBrowser has caused problems for victims princi-pally by automatically sending out

expensive text or multimedia mes-sages, or by making long-distance phone calls. Viruses like Skull have disabled phones.

Some—such as Cardtrp.A for Symbian devices and MSIL/Xrove.A for Windows Mobile devices—do nothing to the phones itself but instead infect PCs when they syn-chronize with the handsets.

apple iphoneHackers created a Trojan horse,

called iPhone firmware 1.1.3 prep, for the iPhone that identified itself to users as an important firmware upgrade.

When a user installed the Trojan, it created connections to other appli-cations such as Erica’s Utilities, a collection of command-line utilities; and OpenSSH (Open Secure Shell), a suite of tools that encrypt and thereby help secure network con-nections. The malware changed the device’s add/remove utility so that deleting the Trojan also removed the other applications.

ISPs disconnected websites hosting

Figure 1. The number of types of mobile malware has increased steadily during the past four years, according to security vendor McAfee.

500

450

400

350

300

250

0

50

100

150

200

Type

s of

mob

ile m

alw

are

Jun

2004

Sep

2004

Dec

200

4

Mar

200

5Ju

n 20

05

Sep

2005

Dec

200

5

Mar

200

6

Jun

2006

Sep

2006

Dec

200

6

Mar

200

7

Jun

2007

Sep

2007

Dec

200

7

Jan

2008

Source: McAfee

14 Computer

I N D U S T R Y T R E N D S

Editor: Lee Garber, Computer: l.garber@computer

the malicious package soon after it was discovered.

Trojans hit Chinese usersSeveral mobile Trojans have been

identified in China, where many phones don’t run the newer, more secure version of the Symbian OS, noted Symbian’s Wood.

A Symbian-based Trojan called Kiazha.A forwards copies of a phone’s multimedia messages to a hacker’s phone. It also displays mes-sages informing victims that they have been infected but can have their phone fixed by sending funds elec-tronically to the hacker’s account.

InfoJack, a recent Windows CE Trojan, installs itself when a user tries to download a legitimate application. Part of InfoJack gets attached as an extra install file with the application. After it is installed and the phone connects to the Inter-net, the Trojan calls a webserver to download the rest of the malware. The malware can also update itself when changes are available.

InfoJack sends the infected device’s serial number, OS, installed applica-tions, and other information to the hackers’ webserver. This gives the hackers more data about the phone’s characteristics so that they can deter-mine what kind of additional code to install on it. It also changes the device’s starting webpage and alters the phone’s security settings to let the hackers surreptitiously install new applications in the background.

Beselo-aThe Beselo-A worm, which affects

phones running older Symbian ver-sions, is an executable that disguises itself by using image-file extensions to convince recipients to click on and activate it. Once infected, victims’ phones automatically send Beselo-A either to people in their contacts directory or to nearby victims via Bluetooth.

There have been no reports of this worm causing direct damage, although virus writers could add malicious payloads to it.

Buffer overflowsHackers could use malware to

exploit vulnerabilities in mobile operating systems such as those that enable buffer overflows. These occur when applications send more data to a memory buffer than it was designed to hold and the device accepts it anyway. The overflow data spills into other areas and can cause the system to execute harmful code.

Already, noted F-Secure’s Runald, a few buffer-overflow vulnerabilities have been found in Windows Mobile 2003, but hackers haven’t exploited them yet.

Security researchers have also found flaws in the iPhone’s e-mail applica-tion and Safari browser that could enable buffer overflows. No one has exploited them in the wild yet.

CORRECTIVE MEaSuRESIn addition to employing traditional

measures such as antivirus software and firewalls, today’s mobile-secu-rity systems use improved applica-tion signing and other approaches to block some types of mobile malware. These approaches—such as pre-venting applications from accessing directories of contacts and certain other features on the phone without explicit user permission—make it more difficult for users and hackers to install unapproved applications, including malware.

Symbian improved its interface to let users more easily block messages from Bluetooth devices, thereby reducing the chance they will down-load malware. In the past, a Blue-tooth-enabled phone would keep sending messages to another phone to download a file, no matter how many times the recipient clicked “no” to the request. The new Sym-bian interface lets the recipient click “no” once to stop the messages.

Meanwhile, users could keep them-selves safer from mobile malware by following safe-computing practices, including downloading software only from reputable sources, added Scott Rockfeld, group marketing manager for Microsoft’s Mobile Communications Business.

IT managers should make sure corporate PDAs and mobile phones use available security software and safety measures and limit the access that devices have to networks to minimize the damage hackers can do, according to Aberdeen’s Win-throp.

They should also educate users about mobile-device security, said John Girard, research director at market-research firm Gartner Inc.

T he long-range outlook for mobile security is good because mobile OS makers

have taken into account security challenges already faced by PCs, according to Symbian’s Wood. For example Symbian has designed its OS to enable applications to access only specialized sandboxes, mini-mizing malware’s ability to spread.

Runald predicted that malware will become a bigger problem as mobile devices gain new capabili-ties. He said, “If we take this threat seriously today, we are in a far bet-ter situation to mitigate the problem when it arises.”

If the smart mobile-device indus-try doesn’t adequately address secu-rity, Wood added, users will avoid the technology and stick with simple cell phones. ■

George Lawton is a freelance technol-ogy writer based in San Francisco. Contact him at glawton@glawton.com.

Recent developments have made experts pay more

attention to mobile malware.