EnterpriseMobileToday PDAStreet

Home | News | Reviews | Features | Tips | Mobile Product Watch | Forums



Visit EnterpriseMobileToday.com

Internet.com's premiere site for mobile managers and IT professionals is where wireless meets business. Our expert analysis and tips will guide you in buying, deploying, securing and managing mobile technology in the enterprise. You'll find strategic analysis, best practices, news, buyer.s guides and practical advice on how to evaluate and support a wide range of devices in the workforce.


PDAStreet.com > Features > Mobile Malware: The Brief History

Mobile Malware: The Brief History

By James Alan Miller
January 13, 2005

A new more dangerous time for mobile device users, filled with mobile malware, is upon us. As with desktop computers, the Lilliputian world of PDAs and smartphones is no longer immune to malicious attack.

This new reality was emphasized this week by the discovery of the one of the most sophisticated mobile viruses yet produced, Lasco.A. Unlike previous malware, Lasco.A attacks most often when users attempt to trade programs, but will also try to infect phones that are connected to its host device within Bluetooth range. (see, Yet Another Virus Targets Smartphones)

It all began "innocent" enough with a pair of "proof-of-concept" trojans, but quickly got ugly—when virus writers with less "benign" intentions jumped on the mobile malware bandwagon.

In this article, we take you through the trojans and viruses that were designed to affect and infect handhelds and smartphones over the last half a year or so, before directing you to articles on how to keep their PDAs, cell phones, and smartphones safe.

The list is in reverse order, moving backwards from Lasco.A.

Mobile Malware: The Brief History

December 2004

  • New variants of the Cabir virus (one of the first mobile viruses), Cabir.H and Cabir.I, fixed a flaw that slowed the previous Cabir malware from spreading rapidly. The original Cabir, dubbed Cabir.A, moved only to one new phone with each reboot. But the newer versions did not have the same restrictions, and appeared capable of spreading to an unlimited number of phones per reboot.
    (For more, see New Cabir Variants are Spreading Fast)

  • METAL Gear.a encouraged smartphone users to install itself by masquerading as the Symbian version of the popular Metal Gear Solid game. The trojan was the first malware to target Symbian security software to disable specific anti-virus and file browsing applications.
    (For more see Trojan Targets Anti-Virus Achilles Heel)

    November 2004

  • Skulls, a relatively low-impact but threatening virus, popped up on some Symbian OS smartphones. The malware, which overwrote application information and icon files (AIF) on the device's C: drive with an icon of a skull-and-bones image, was found at some Symbian shareware download sites under the filename "Extended Theme Manager" and "Tee-222" with a Symbian OS Installer file (.sis).


    Skulls Virus

    (See Security Update: Skulls Hit Symbian Phones)

    August 2004

  • The first Trojan aimed at Symbian smartphones turned up embedded in a cracked (illegal) edition of Ojom’s game Mosquito. So the only way to become infected with Mosquito was to to knowingly or unwittingly download illegal software.

    Mosquito became activated when you launched the pirated game. Upon which, it copied itself to the system/apps/Mosquitos/ folder on the smartphone and then sent SMS messages out in the background at premium rates while the game was being played.
    (For more, see Beware of Greeks Bearing Gifts)


    Mosquito Message

    A few days later...

    The saga of the first Trojan Horse for Symbian smartphones took a twist worthy of Homer's epic poem the Iliad, as it became apparent that the perpetrator was the developer of the infected game itself. Ojum placed the Trojan in the game Mosquito as a form of copy protection.

    So if a "cracked" or illegal version of the game was developed or Mosquito was played on an unregistered smartphone, the Trojan dialed a specific number silently in the background—sending an SMS message notifying the company. Although it worked as planned, it backfired too, as a number of legitimate users were affected.
    (See Mosquito Trojan Bites Developer Back)

  • A trojan aimed at Pocket PCs called Backdoor.Bardor.A or WinCE.Brador appeared, and was received by victims as a disguised e-mail attachment. When launched, the malware let its creator control the infected Pocket PC and all the data on it the next time a user connected to the Web. Specifically, the worm identified the machine's IP (Internet Protocol) address and sent the information to the virus developer.
    (For more, see Mosquito Trojan Bites Developer Back)

    June/July 2004

  • The first two known cases of malware for mobile devices—one for Symbian smartphones and the other for Pocket PC PDAs and phones—appeared a little over a month apart. Members of 29a, an international group of programmers that specialize in “proof-of-concept” viruses wrote both.

    So EPOC.Cabir (Symbian) and WinCE.Dust (Pocket PC) were developed not to create havoc but to prove that malicious code for handhelds could be generated.

    First came Cabir in June, which was disguised as the Caribe Security Manager utility—part of a Symbian smartphone's security software. When launched, the worm made the smartphone's screen display the inscription Caribe.

    The worm then penetrated the system and was activated each time you started your phone. It also scanned for other phones using Bluetooth to send out copies of itself. The newest trojan's appear to be based on this initial "proof-of-concept" creation.
    (For more see, Worm Hooks Symbian Smartphones)

    Next came WinCE4.Dust for Pocket PC handhelds and phones. The writer only sent the virus to anti-virus vendors, claiming that it, like EPOC.Cabir, was created to show that a Pocket PC virus could be developed and spread. Also, unlike malicious worms, WinCE4.Dust asked the handheld owner if it could spread itself.
    (Fore More see, First Pocket PC Virus Uncovered)

    Basic Security
    We recommend all handheld users follow some basic guidelines to keep their devices and, perhaps more importantly, the data they hold safe. For instance, in order for Series 60 smartphone users to get infected by a virus/trojan via Bluetooth, he must first answer yes to these two messages:


    The worm arrives on the phone as a Bluetooth message which has to be explicitly accepted by the user with the following dialogue.
    To receive a worm, a user must then ignore the security warning message and physically click and recognize explicitly that the .SIS has come from an unknown source.

    So, as a rule, it is a good idea not to accept Bluetooth messages from unknown users. And as anti-virus company F-Secure's director of anti-virus research Mikko Hypponen recommends, operate your device in hidden Bluetooth mode to avoid being infected.

    You will find additional security guidelines in the following articles:

    --Handheld Security: Part IV – The Mobile VPN

    --Handheld Security: Part III – Evaluating Security Products

    --Handheld Security: Part II - Understand Vulnerabilities

    --Handheld Security: Part I - Learn the Basics

    --Top 10 Items You Shouldn't Allow on Employee Unprotected PDAs (and what do about it)



    • Related Links:

  • Yet Another Virus Targets Smartphones
  • New Cabir Variants are Spreading Fast
  • Trojan Targets Anti-Virus Achilles Heel
  • Security Update: Skulls Hit Symbian Phones
  • Beware of Greeks Bearing Gifts

     
     Printable Version
     Email this Story to a Friend