- Category: September - October 2009
According to Kaspersky Lab, the first proof of concept virus for smartphones running Symbian OS appeared in June 2004. In the autumn of 2004, three mainstream parasites for mobile devices emerged, one being in the family of the infamous Trojans. The first was Mosquit.a, actually a harmless game for mobile phones, but it sends SMS messages to all entries in the directory and is advertising in this way the author’s creation. So in a manner of speaking, Mosquit has made a place for itself in history as not only the first smartphone Trojan, but also has the dubious honor of being the first mobile AdWare.
The Trojan Skuller.a which emerged in November of the same year was regarded as cutting-edge: It used an error in Symbian, which made the overwriting of the system files for an application possible. The Trojan replaced all icons of existing applications with a skull and removed at the same time all application files. This then resulted in the mobile phone not working any longer after the restart. This “Trojan Vandalism” enjoys great popularity among virus writers.
In the beginning of 2005, the main types of mobile viruses, to which many virus authors still cling to, were the following:
- Worms, which spread over smartphone typical minutes and services
- Trojan Vandals, which use the Symbian security gaps to penetrate into the system
- Trojan for financial enriching
Fast forward to 2008 which saw several instances of malware designed for and spread via mobile phones. One example was SymbOS/Kiazha.A, a “ransomware” Trojan that runs on Symbian OS devices and deletes incoming and outgoing SMS (text) messages. When it infects a mobile phone, the phone will display a message asking the user to send money (to an undisclosed location, using a mobile phone recharge card) to have the device restored to normal function. This Trojan is installed on the phone by SymbOS.Multidropper.A, which also installs SymbOS/Beselo, a worm that propagates by sending itself as MMS (multimedia) messages every two minutes to every contact in the mobile phone’s phonebook. It can also propagate via Bluetooth, and copy itself to any memory card inserted into the phone, allowing it to recover from deletion. In another tactic to enhance propagation, SymbOS.Multidropper.A installs SymbOS/ComWar.C, which spreads via Bluetooth and replicates and monitors itself to ensure it is not erased from the phone.
During the last year, malware for mobile phones was largely circulated in Asia – a trend that is not surprising since it is the region where the number of people who own such devices is significantly higher than those who own personal computers. This makes spreading malware via mobile phones in Asia a potentially profitable endeavor for malware creators.
Besides the main species of malware, in practice there are many modifications. Kaspersky Lab has information on at least 31 harmful program families for mobile phones, which exhibit the following characteristics:
- Spread over Bluetooth and MMS
- Dispatch SMS/MMS
- Infection of files
- Enable external access to smart phones
- Exchange file icons and system applications
- Modify fonts and installation of applications
- Bypass anti-virus functions
- Install other harming programs
- Block memory cards
- Enable information theft
Mobile viruses possess the same functions as computer viruses. However, compared to the computer virus family that needed more than twenty years to produce the whole spectrum of viruses and functions, the mobile virus family has accomplished this within a timeframe of only two years. Certainly, we are dealing here with the most dynamic and fastest developing field of harmful programs, whose peak of evolution obviously hasn’t been reached yet.
One of the main technological differences between mobile viruses and other modern threats is that independent of the excess of numerous mobile virus families, a really manageable number of primary harming programs exist. This is comparable with the level of development of computer viruses in the late 80's. At that time, hundreds of viruses existed whose core consisted of one basic harmful program and its source codes. The three viruses: Vienna, Stoned and Jerusalem were the origin of a multiplicity of further parasites.
How mobile viruses spread
Previously, mobile viruses differed from computer viruses in using specific ways of propagating - via Bluetooth or MMS. However, the functionality of the .NET programming platform which is integrated into WinCE has enabled virus writers to exploit yet another, more traditional infection vector: email. For example, the Letum worm behaves in exactly the same way as thousands of typical PC email worms: once it gets onto a phone, it sends itself to all the email addresses stored in the infected device’s contact list. Furthermore, Letum could be classified as a cross-platform virus, as it is capable of running on computers running .NET.
Cross platform viruses
The Cxover virus is the first cross-platform malicious program for mobile phones. When launched, it checks to see which operating system is running, and when launched on a PC, it looks for access to mobile devices via ActiveSync. The virus then copies itself to the mobile device using ActiveSync. Once it is on the mobile device, the virus attempts to perform the procedure in reverse, i.e. to copy itself to the PC. It can also delete user files on the mobile device.
The Mobler worm works a little differently. Once it’s launched on a PC (with a Win32 component), it creates a SIS file on the E: drive. The SIS file contains several empty files which are used to overwrite a number of system applications on the phone. The file also contains the worm itself which then copies itself to the phone's memory card and adds a file called autorun.inf. If a user connects a Mobler-infected phone to a computer and tries to access the phone's memory card, the worm will automatically launch and infect the computer. Mobler is a clear example of a cross-platform virus capable of running on totally different operating systems: Windows and Symbian.
Prior to 2006, the two most frequently attacked mobile platforms were Symbian and WinCE, which are the main smartphone platforms. The appearance of the RedBrowser Trojan in February 2006 was an unpleasant surprise. This was the first time that standard handsets (i.e. not smartphones) were infected. RedBrowser targeted mobiles which use the J2ME platform to run certain applications.
Although until recently it seemed an impossibility, infecting almost every kind of mobile phone is now a reality. The very appearance of Trojans for J2ME is just as worrying as the appearance of the first worm for smartphones in June 2004. It’s still difficult to assess all the potential threats. However, it’s a fact that the standard handsets still outnumber smartphones and malicious users have now worked out how to infect a standard phone and use it for criminal purposes. This means that antivirus protection for such devices is becoming a relevant issue.
Also in 2006, the first proof of concept backdoor for BlackBerry devices was detected. However, it was written in Java, and according to Kaspersky Labs, therefore can't really be classified as malicious code for a new platform.
Here are some of the early versions of mobile viruses:
Cabir not only developed own variants, which differ just by file names and composition of the installation file (SIS file), but also resulted in independent and at first sight completely dissimilar parasite families such as StealWar, Lasco and Pbstealer.
The worm Lasco appeared as the first of these independent families. Apart from usual worm functionalities, it can also infect files, too.
This harmful program was developed in China and was discovered on a hacked Korean Webpage with the online game “Legend of Mir”.
This Trojan overtook Cabir in Bluetooth spreading, but the authors also made this time an important change in the source code: The Trojan selects the address database of the mobile phone and stores it in a text file. This is dispatched via Bluetooth to the next found device at hand. This is where the designation Pbstealer -“Phonebook Stealer”- comes from.
A further milestone in the development of mobile parasites was the worm Comwar, which was one of the first to also spread through MMS. Considering the enormous propagation of mobile threats, its functionality has to be classified as extremely dangerous - the range of Bluetooth enabled devices is 10 to 15 meters, whereas MMS has really no borders.
At present, at least seven modifications of the Comwar worms are well-known. In the variant Comwar.g the author used for the first time the possibility of infecting files. To do this, the worm looks for other SIS files in the mobile phone and registers itself thereby waiting for another opportunity to spread further.
What is remarkable is the fact that Comwar hasn’t yet become the “progenitor” of a number of other virus families. The reason for this is most probably traced back to the fact that its source code is unpublished. However Comwar, like Cabir, is used more as a “carrier” for other Trojans. Only the Trojan Stealwar is considered as predecessor of a new family, which is built up on Comwar. Stealwar is a worm, which contains parts of Cabir, Comwar and the Trojan Pbstealer and in this way has the ability for greater proliferation and therefore poses a higher risk.
The principle of MMS dispatch will however outweigh in the future all other kinds of spreading methods. This is especially since a serious weak point in MMS application under Windows Mobile 2003 is already known, which leads to a buffer overflow as well as to the execution of an arbitrary code.
Showing another dastardly side, Comwar.c used for the first time root kit technology. The worm hides itself in the list of processes and is in the task manager under the started applications, by defining its type of process as a SIS file (system file). The good news is that with the assistance of other programs, which list started applications and processes, it can be discovered without a problem. Different harmful programs for Symbian are using similar technologies at present, too.
Mobile viruses have technically grown out of its infancy and only the still relatively small distribution of smart phones is preventing the situation from getting out of hand so far. However, with each passing day that Symbian and Windows Mobile gain ground, it is probably only a question of some months until mobile viruses are as well an everyday topic in Asia, too.
What mobile viruses can do?
- Spread themselves through Bluetooth and MMS
- Dispatch SMS and MMS without your knowledge
- Infect Files
- Send infected files to people in your name (via email, WiFi, Bluetooth, etc.)
- Delete your personal information (e.g. address book, file, etc.) or steal confidential information
- Disable functions on the phone (SMS, games, cameras, etc.) or completely disable the whole device
- Allow external access to smart phones
- Exchange file icons and system applications
- Modify fonts and install other applications
- Fight anti-virus functions
- Install other harmful programs
- Transfer malicious code from the smartphone to a PC upon connection
- Lock memory cards
- Use up the phone battery much faster than usual
- Steal information