Slashdot Mirror
First Symbian OS virus to replicate over MMS
Shachaf writes "A new virus, CommWarrior.a, is the first to replicate over MMS (Multimedia Message Service). From the article: 'Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.', and '"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.'"
So, the question is...
Are the customers reponsible for all the charges incurred from this virus? Being that it probably uses a flaw in the phone's OS itself.. how is this going to work?
Nobody is going to want fancy new fangled smart-phones if they get infected with viruses and run up your phone bill monthly..
Excuse me, I don't mean to impose, but I am the ocean
...message, on an already well known-format, shouldn't it be possible for service providers to block the messages through the MMS MX handlers? And/or simply not bill the customer for the sum of messages sent with that format. Of course, isolate them from the network if possible (remove their permission to emit MMS messages at the MX) until the malware can be removed from their device. Just a thought. Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.
Informatus Technologicus
From TFA:
CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.
Doesn't really seem this is Symbian's fault, CommWarrior just behaves like a malicious application. The user obviously has to install it and then run it to get 0wned.
Of course, some sort of sandbox environment like in Microedition Java would have been a better design, but I guess Symbian simply wasn't built with something like this in mind. I know Nokia is pushing a model where only certified developers will be allowed to write applications that access sensitive functionality (dialing numbers, sending messages, etc.), but this is not a great solution. It will drive the cost of applications way up, and shaft all the small app developers, because only the big guys will have their apps signed by Nokia.
Perhaps I mis-RTFA or just don't understand MMS, but whenever my mobile is active it causes amplifier noise (talk or send/receive SMS). CDMA or GSM. Computer speakers, car stereo, whatever. Wouldn't a constant transmission be noticable?
...but the text in the MMS says: "Your cell phone clock may be wrong. Would you like to keep it accurate?"
Modern phone operating systems have security features built in where the application installer will only allow *signed* applications to be installed. A virus / trojan wouldn't get signed because it has to go through an acceptance program.
The first Microsoft smartphone product had this feature turned on - normal joe's couldn't install software that hadn't been signed (the signing process usually costs $$ although recent efforts have reduced the cost).
Symbian *has* the same functionality. In fact, most commercial symbian software should now be signed, see Symbian Signed Symbian also has the functionality to disallow users to install unsigned programs. It is just that this feature is turned off by default (at least on the phones that I have seen).
Theoretically, all an operator needs to due is send an OTA message to turn on signing verification. This is easily done on a windows mobile and presumable via WAP push on Symbian. We probably will see operators start to turn on signing requirements by default on symbian phones (hopefully with the capability for users to turn it off so they can install freeware if they so choose).