V

V

I

I

R

R

U

U

S

S

S

S

T

T

O

O

R

R

I

I

E

E

S

S

…

…

By now it is for sure: viruses that attack cellular phones are no longer an
exception or proof of concept. In recent months multiple variations of these
viruses have reinforced their attacks, revealing an unprecedented and
alarming level of exposure.

The latest generation cellular phones are no longer pure communication
devices: they are intelligent multimedia centers to be used both for work
and leisure, with little to differentiate them from palmtops. It seems
therefore likely that the kind of security problems experienced in the PC
world will likely be disturbingly similar in mobile environments.

As a result, the latest generation cellular phones have become a
potentially tempting target for attack and at the same time a vehicle for
malicious code. This represents a growing threat as the market increases
in complexity. By observing the exponential growth of these devices
registered in the past decade, we can predict that the growth in the number
of smartphone users and the corresponding market around it will be much
more explosive than that of PCs.

Already today, the Symbian operating system is installed on over 20
million smartphones: such a pool of users could not fail to arouse the
interest of hackers and spammers. This creates a scenario in the near
future where viruses, worms, spyware and denial of service attacks will
become commonplace for such devices.

The vanguard of cellular phone hackers has already made its appearance,
in some cases quite strikingly and the first targeted have obviously been
Symbian-based Series 60 cellular phones.

T

T

e

e

r

r

r

r

o

o

r

r

r

r

u

u

n

n

s

s

.

.

.

.

.

.

o

o

n

n

w

w

i

i

r

r

e

e

l

l

e

e

s

s

s

s

l

l

i

i

n

n

e

e

s

s

:

:

a

a

1

1

0

0

m

m

o

o

n

n

t

t

h

h

c

c

h

h

r

r

o

o

n

n

i

i

c

c

l

l

e

e

o

o

f

f

o

o

f

f

a

a

t

t

t

t

a

a

c

c

k

k

s

s

Let's recap briefly the events that have defined the past months.

-

S

S

p

p

r

r

i

i

n

n

g

g

2

2

0

0

0

0

4

4 – Mosquitos, the game infected by a trojan, opens the

door for this new era of piracy aimed at cellular phones: it sends
messages to expensive toll numbers, causing considerable economic
loss to its unwitting victims.

-

J

J

u

u

n

n

e

e

1

1

5

5

t

t

h

h

: it's Cabir's turn; the worm first version of which has been named

Cabir.A. is first virus to replicate through an active Bluetooth connection,
Cabir attacks phones with a Symbian operating system.

-

J

J

u

u

n

n

e

e

1

1

6

6

t

t

h

h

,

,

2

2

0

0

0

0

4

4: Only one day later, a new version Cabir.B makes an

appearance, and will continue its spread mainly in China, India, Turkey,
Finland and the Philippines. To this day, this worm continues to
hitchhike around the world, with the owners of infected devices.

-

J

J

u

u

l

l

y

y

2

2

0

0

0

0

4

4: Pocket PCs are targeted for the first time and the

protagonist of these attacks is Duts. Behaving like a
traditional parasite virus, it attacks the Pocket PC's
programs and spreads each time infected programs
are exchanged. Nicknamed “the polite virus”, when a
program hit by Duts is activated, a message appears

asking the user permission to proceed: “Dear User, am I allowed to spread?”.
If the user mistakenly grants authorization, the virus will infect all .EXE
files present in the directory.

-

A

A

u

u

g

g

u

u

s

s

t

t

2

2

0

0

0

0

4

4: in Summer 2004, handheld devices are targeted once

again. A few days after the reporting of Duts, it is Brador's turn, a
backdoor that creates a copy of itself in the start file and informs the
hacker the minute the device is online. The hacker can then connect to
the palmtop through the TCP door and covertly control the device.

-

N

N

o

o

v

v

e

e

m

m

b

b

e

e

r

r

1

1

9

9

t

t

h

h

,

,

2

2

0

0

0

0

4

4: Symbian-based smartphones return

once again and become the target of hackers. The first
appearance of Skulls, the first version of which is called
Skulls.A., dates back to November. Skulls A. first makes its
appearance on websites that allow users to download
shareware applications for the Symbian operating system.
Skulls hides behind files named Extended Theme Manager
or Timer Room. If erroneously installed, the trojan blocks

the functioning of smartphone applications, allowing the user only to make or

receive phone calls. All other functions - messages, browser, and several
other applications - get blocked and the screen, instead of the usual icons,
displays skulls. What makes the trojan even more troublesome is the fact that
removal can be quite difficult and sometimes even cause the loss of all
information installed on the phone, including numbers, agenda and saved
messages.

-

N

N

o

o

v

v

e

e

m

m

b

b

e

e

r

r

2

2

9

9

t

t

h

h

,

,

2

2

0

0

0

0

4

4: the month ends with the first variation of Skulls:

Skulls.B. As previously, the trojan is spread through a file called
Icons.SIS that, if installed on a smartphone, blocking the functioning of
the cellular device's applications, allowing the user only to make and
receive phone calls, and deleting all other functions. If that weren't
enough, Skulls also carries the worm Cabir.B, making this threat
particularly dangerous.

-

D

D

e

e

c

c

e

e

m

m

b

b

e

e

r

r

9

9

t

t

h

h

,

,

2

2

0

0

0

0

4

4: New versions of Cabir manifest themselves one after

the other: Cabir.C, D and E

-

D

D

e

e

c

c

e

e

m

m

b

b

e

e

r

r

2

2

1

1

s

s

t

t

,

,

2

2

0

0

0

0

4

4: The stream of attacks doesn't blow over: reports bring

to light new notorious versions of Skulls.C, Cabir.F and Cabir.G

-

D

D

e

e

c

c

e

e

m

m

b

b

e

e

r

r

2

2

2

2

n

n

d

d

,

,

2

2

0

0

0

0

4

4: Another wave of malware spreads disguised as the

cracked copy of the popular cellular phone game Metal Gear Solid. The virus,
called MGDropper, installs itself, when the unwitting user downloads the
game on the smartphone. When launched, MGDropper installs versions of
Skulls and Cabir and tries to undermine the security products installed on the
phone.

-

D

D

e

e

c

c

e

e

m

m

b

b

e

e

r

r

2

2

6

6

t

t

h

h

,

,

2

2

0

0

0

0

4

4: In a six-month time span, versions of Cabir multiply

and the versions Cabir.H e Cabir.I make an appearance. Both target cellular

phones with a Symbian 60 Series operating system but their
appearance attracts the attention of researchers for one main
reason: these two versions seem in fact to be re-written
versions based on Cabir's original source code. This means
that, in a silent but insidious way, part of the source code is
continuing to spread in the depths of the web. As a result,
sources are still available to authors of cellular phone

malware, with all the associated risks.

-

J

J

a

a

n

n

u

u

a

a

r

r

y

y

1

1

1

1

t

t

h

h

,

,

2

2

0

0

0

0

5

5 – The new year starts with a troubling

report that bears the name Lasco.A. F-Secure research
laboratories launch the alarm: 2005 could be the banner
year for attacks on cellular phones. This time as well,
cellular phones with a Symbian operating system and an
active Bluetooth connection are targeted. Lasco.A combines viruses and
worms: once the phone is hit, replicating the behavior of the notorious Cabir,

the worm starts to search for other active Bluetooth devices so it can replicate
and look for .sis files to infect.

-

F

F

e

e

b

b

r

r

u

u

a

a

r

r

y

y

1

1

s

s

t

t

,

,

2

2

0

0

0

0

5

5 – It's the turn of the Locknut.A trojan (also nicknamed

Gavino.A and B by some anti-virus companies). Aimed at phones with a

Symbian 7.0 operating system, this new phenomenon
arouses interest not so much because of its severity but
because it is a Symbian SIS trojan file that substitutes a
binary file, blocking the phone and preventing any
application from opening. Its blocking methods are similar to
those of Skulls but are more complete. Although initially it
was thought that, once hit by Locknut.A, the phone
becomes unusable even for phone calls, it has been verified
that phones can still make and receive phone calls, while

losing all other functionality normally available on a smartphone device.

-

M

M

a

a

r

r

c

c

h

h

3

3

,

,

2

2

0

0

0

0

5

5

– CommWarrior.A started creating unwanted billing for

infected Series 60 users. This virus, however, adds a new layer of
sophisticated intelligence, using Bluetooth during daytime for spreading and
sending MMS messages at night. The latter feature is very bad from the
user’s point of view because CommWarrior is able to create considerable
costs by sending multiple MMS messages. The MMS messages contain
variable text messages and the Comwarrior SIS file with the filename
commw.sis. To get infected the user has to accept the installation dialogue
but once done, detection is difficult. The global spread of CommWarrior.A has
been rapid.

The most common reason why people have installed Commwarrior from an
MMS message is the trust that they have with the sender. People are typically
wary of messages that they receive from unknown sources, but quite willing
to install whatever has been sent from a friend’s mobile. This is a
phenomenon that we have also seen with E-Mail worms; the plain fact is that
people just are unwilling to mistrust something coming from a friend.

-

-

M

M

a

a

r

r

c

c

h

h

1

1

8

8

,

,

2

2

0

0

0

0

5

5

– Locknut.B will cause the operating system to crash by

preventing any application to launch. It lures the user to install itself be
pretending to be a patch for Series 60 phones. Locknut B also contains Cabir
V which spreads through Bluetooth just like the earlier variants of Cabir.

-

A

A

p

p

r

r

i

i

l

l

4

4

,

,

2

2

0

0

0

0

5

5 – Fontal.A is a SIS file trojan that installs a corrupted Font file

into infected device, thus causing the device to fail at the next reboot.

If a phone is infected with Fontal.A, it must not be rebooted
since the trojan will prevent the phone from booting again. If

the phone is rebooted, it will try to boot, but will be forever stuck on phone startup
and cannot be used.

In addition of installing the corrupted font file, Fontal.A also damages the
application manager so that it cannot be uninstalled, and no new applications can
be installed before the phone is disinfected.

-

M

M

a

a

y

y

9

9

,

,

2

2

0

0

0

0

5

5

–

–

Skulls.K is a variant of previous Skulls versions. It replaces

the system applications with non-functional versions, drops SymbOS/Cabir.M
worm in to the phone and disables third party applications that could be used
to disinfect it with such as FExplorer, EFileman.

Skulls.K tries to disable F-Secure Mobile Anti-Virus by replacing it's files with
non-functional versions. However, since F-Secure Mobile Anti-Virus is
capable of detecting Skulls.K using generic detection the Anti-Virus will detect
the infected SIS file and prevent it from being installed provided that the Anti-
Virus is in real time scan mode, as it is by default.

W

W

h

h

a

a

t

t

w

w

i

i

l

l

l

l

f

f

u

u

t

t

u

u

r

r

e

e

a

a

t

t

t

t

a

a

c

c

k

k

s

s

b

b

e

e

l

l

i

i

k

k

e

e

?

?

According to the experts at F-Secure research laboratories, in the future we
should expect a new breed of cellular device exploits, - for instance, Trojan
Horses incorporated in games, screensavers and other applications generating
unwanted charges, intrusions in reserved information filed in the memory of
cellular phones, as well as data deleting or theft.

The best way to protect a smartphone from dangerous content is to install anti
virus software that automatically updates itself.

All the latest news on viruses directly from the researchers of F-Secure
laboratories

can

be

found

on

the

weblog

http://www.europe.f-

secure.com/weblog/

, while news on F-Secure Mobile Anti-Virus – F-Secure's

patented solution that updates itself automatically in a way to protect the phone
even from the most recent threats - can be found at the address:

http://www.f-

secure.com/wireless/

-

-

T

T

r

r

u

u

e

e

k

k

n

n

o

o

w

w

l

l

e

e

d

d

g

g

e

e

d

d

e

e

r

r

i

i

v

v

e

e

s

s

f

f

r

r

o

o

m

m

a

a

s

s

u

u

s

s

p

p

e

e

c

c

t

t

o

o

r

r

r

r

e

e

v

v

e

e

l

l

a

a

t

t

i

i

o

o

n

n

-

-

Herman Melville

How is it possible for a virus to infect a cellular phone?

Nowadays, smartphones are at risk since, they are similar in functionality to
actual personal computers. Their vulnerability arises from the presence of an
open operating system that, allowing for an Internet connection, exposes the
phone to risks from such activities as sending of e-mail messages, exchange
of MMS and WAP messages, as well as the use of accessories and tools.
Communications that take place through Bluetooth or infrared connections
become therefore potential vehicles for viruses.

What kind of damage can a virus cause to a cellular phone presently
and what threats should be expected for the future?

Most attacks perpetrated to date and orchestrated by hackers exploit malware in the
forms of games, screensavers and similar applications. So far, however, present
cellular phone viruses have little impact to users, beyond the obvious hassle of phone
malfunctioning. The situation should not, however, be underestimated because it
seems destined to change. Indeed, the malware authors only continue increasing their
degree of menace in step with anti virus professionals ability to combat the threat.

For

the future, therefore, an increase of attacks designed to make the device
completely inoperable is to be expected.

Maybe the most disturbing threat still remains that of the user's privacy: the
cellular phone represents a de facto source of personal data with its phone
numbers, messages, agenda and much more. This information can be
deleted, modified or stolen. In a future scenario, therefore, it is important not to
ignore the risk of attacks designed to seize valuable information, be it personal
or professional.

Another disturbing phenomenon that has recently occupied a leading role
among IT threats is spamming. In the near future it seems apparent that
cellular phones may become valid tools for the propagation of unwanted SMS
and MMS messages. Mobile devices could therefore become the primary
vehicle for the spreading of viruses aimed at infecting a large number of
cellular phones that, once hit, would start sending unwanted spam SMS and
MMS messages to all the numbers listed in the phone: all this while the
unwitting user is charged for the costs of this fraud.

How do viruses spread among cellular phones?

The modalities of virus propagation are multiple and destined to vary. The
main danger is through increasing automation as is the case with Cabir and its
use of Bluetooth.

Another way of propagating can be through the sending on infected messages, opening
TCP/IP connections directly from the applications and offering thus greater
opportunities for the malware to spread.

For traditional cellular phones that don't

use an open operating system such as Symbian OS, the risk is limitedThere
have been cases of diffusion of harmful content in phones with closed
operating systems but they were isolated.

How is it possible to find out whether or not a cellular phone has
been infected?

Considering that without a safety application ,it is rather difficult to trace a
virus, there are nonetheless situations that can warn the user. By and large,
viruses typically cause anomalies on the phone, such as an increase in
communication activity, a quickly depleted battery, the reception of unwanted
messages and the deleting of icons or their modification.

What should a user do to protect himself?

To guarantee a suitable level of security, it is necessary to protect the
smartphone with anti-virus software complete with an automatic updating
mechanism that is sent directly to the mobile device.
When anti virus protection is not available, cellular phone users should pay
particular attention before proceeding with the installation of new software or
downloading new applications from the Internet, by verifying the source of the
software and tracking the behavior of the phone right after the changes have
been instituted.

How does anti virus software for cellular phones work?

After the software has been installed and after the activation of the
subscription to the updating service, the scanning and updating functions of
the database become automatic and the user doesn't need to do anything
else. In the instance that harmful content is found - be it a virus, a badly
formatted message or a malfunctioning application - the antivirus creates an
update able to detect malware and automatically distributes it to all the users
of the anti-virus service.

A good anti-virus automatically analyzes all the phone's files each time the
telephone is used and - in order to prevent infections - thanks to the real time

scanning function, intercepts and analyzes all the files automatically as soon
as they are saved, copied, downloaded or otherwise modified, without the
need for further participation on the user's part. All viruses found are then
automatically put in quarantine. In critical cases, the anti-virus update can be
sent to users through an SMS message (F-Secure Mobile AntiVirus is the only
solution available on the market that allows incremental updates through SMS
messages). In most cases, however, the protection is already active long
before the device can become infected.

What can operators do to guarantee security?

Mobile security solutions of the future will be multi-layered starting with
preventive security incorporated in the operating system, and including
applications that react more rapidly to new threats through automatic online
updates. Mobile security solutions will therefore have to be modular and
expandable in order to satisfy the needs of various types of mobile users.

In supplying the levels of security needed by mobile devices users, the critical
aspects will continue to be automation, ease of use and timeliness of updating.
The ideal product therefore will have to be automatic, easy-to-use and able to
offer reliable and transparent protection.

Users are obviously interested in the security of their mobile devices, but not in
the technicalities. In other words: they want to be sure that in case of collision
the airbag works, but they're not interested in how it works.

And finally, a few tips to shield oneself…

First of all, it is of fundamental importance to remember that, in general, all
security software must always be kept up-to-date, so as to be able to
effectively contrast attacks. It’s important to remember that old software is not
designed to face new problems bearing in mind that "old" can refer to as little
as a month, since anti-virus software updates are done weekly.