Is mobile malware proliferating ?
Instances of previous attacks launched by malware against mobile handheld devices are discussed below. They are intended to illustrate the ways in which malware has manifested itself in the past and to gain insight about the potential security risks involved.
Fraud – The protection feature of a game developed for Symbian smartphones offered an early example of how subscriber fraud could be perpetuated through cell phone calling charges . In this case the malware was spread disguised as a protection feature for games.
If the game was obtained from a different region than the phone service, an SMS message would be sent to a premium rate toll number before the game would be unlocked. The ill-fated arrangement affected subscribers who bought legitimate copies of the game outside the service area, as well as those with copies obtained illicitly, and eventually removed.However, copies remained and continued to spread.
Mobile malware strains – such as Wesber-A, Redbrowser, and Java Midlet Trojans send messages to Russian premium-rate numbers. These Trojans first required user acceptance for each message and were only able to send messages from inside Russia, but the troian Viver family is more advanced because it is not subject to these restrictions.
Recently, the threat Trojan (Viver) targeted the Series 60 version of Nokia’s Symbian operating system. The Trojan software appeared on file-sharing sites for mobile phone content, advertised as video codec, a photo editor, or other utility, enticing users to download and install it. Once downloaded and installed, the malware sends SMS messages to premium-rate numbers in Russia to accrue fees.
Denial of Service – Denial of service on Symbian Series 60 (S60) phones was perpetuated by another Trojan (Fontal-A) spread though file sharing.
Once installed, the Trojan causes the phone to fail when it is rebooted . The Trojan also disables the application manager, which prevents any new applications from being installed and existing application, including itself, from being uninstalled.
A hard reset to reformat the phone and reinitialize its original settings resolves the problem, but at the expense of wiping out all user data. Besides Nokia, the Frontal-A trojan affected also other phones from other manufacturers employ S60, including those from Samsung, Panasonic, and Siemens.
A different type of denial of service exploit, involving buffer overflow vulnerabilities in MMS implementations, was demonstrated on Windows Mobile devices . Sending a long MMS message with a malware payload appended causes targeted devices to crash when the malware is deposited into memory.
Denial of service attacks may also be targeted at certain features of a handheld device. For example, a battery exhaustion attack maximizes power consumption in various ways, such as performing unneeded but valid energy-consuming tasks repeatedly to drain the battery prematurely .
Manual disinfection of Frontal-A
1. Install file manager on the phone
2. Go to c:\System\apps\appmngr
3. Delete appmngr.app
4. Go to the application manager
5. Uninstall the SIS file in which the Fontal.A was installed in
Disinfection for the cases when phone is already rebooted and cannot start up. This method will remove all data on the device including calendar and phone numbers.
1. Power off the phone
2. Hold following three buttons down “answer call” + “*” + “3″
3. Keep holding the buttons and power on the phone
4. Depending on the model, you either get text “formatting” or startup dialog that asks for initial phone settings
5. Your phone is now fomatted and can be used again
In 2005, Commwarrior-B (a mobile phone virus) begin appearing on Symbian Series 60 phones . The virus replicated itself by way of MMS message attachments and Bluetooth.
MMS recipients are queried as to whether they want to open the attachment, while Bluetooth recipients are queried as to whether to accept the file and, subsequently, whether to run it. Once the virus is installed, it starts to look for other nearby Bluetooth phones to infect.
At the same time, it sends an enticing MMS message to phone numbers listed in the address book, attaching a copy of itself as a disguised .exe file. This virus illustrates how multiple methods of replication can be used for propagation.
Other viruses (Mabir.A,Cabir) works similarly, but responds with an infected reply to any message that arrives at the device, instead of using address book entries.Basically the Mabir.A is Cabir with added MMS functionality, both are written by the same author and have very similar code.
The Mabir.A spreads using bluetooth using the same routine as early variants of Cabir, when Mabir.A activates it will search for the first bluetooth phone it finds, and start sending copies of itself to that phone. If the phone Mabir finds goes out of range, the Mabir.A still seems to be locked on that.
Remote Access – A classic Trojan (Brador) targeting Windows Mobile 2003 ARM-based PDA devices creates a file in the Startup folder on the device, which allows it to gain control each time the device is started.
It sends the attacker an email message containing the IP address of the device as notification that the backdoor on the infected device is active. The attacker can then make a connection to the device, view and download files, or even upload more malicious code.
The Bluetooth implementations of certain Sony Erickson and Nokia phone models have also be shown to be vulnerable to something termed Bluesnarfing, whereby the address book, calendar, IMEI number, and other data can be extracted over the wireless interface.
Certain device models were shown to be vulnerable even when Bluetooth was set in non-discoverable mode, and no prompts, messages, or other indications appear on the phones’ display during the exploit.
Update. Researchers from anti-virus vendor Kaspersky warn about a new threat targeting mobile users in the form of credit stealing trojans. The malicious applications initiate unauthorized requests to transfer credit from one phone to another.
10 Responses to “Is mobile malware proliferating ?”
Ho can I get mobile malware ?
You purchase a program from an unknown supplier. The program can be a screensaver,a game …
How a virus can affect by smartphone ?
For example the Viver trojans, made in Russi, immediately after infection start sending SMS messages to premium-rate numbers. The messages are sent with proper international area codes, so they are able to reach the correct destination even when activated outside Russia.
What are the most likely mobile risk today ?
Most of the phone viruses and Trojans target the older smartphone systems because current systems have improved built-in security .
Today the most likely mobile risk are mobile spying tools like FlexiSpy, Neocall or Mobile Spy
What is the next step in mobile malware ?
I think that the next epidemic of malware will ride the streams of Bluetooth to infect everybody within 30 feet.
Mobile Malware – Possible Vectors ?
-SMS (Receiving SPAM, for example, via Yahoo! Mobile)
-Bluetooth (could be infected by CABIR WORM)
-InfraRed (not much threat – since direct line-of-sight is needed with another IR capable device)
- connections to PC/Laptop using IR and bluetooth. ( very easy to transfer data and malware)
interesting post
a very good article about Is mobile malware proliferating ?