Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Symbian OS virus to replicate over MMS

Posted by CmdrTaco on from the only-a-matter-of-time dept.

Shachaf writes "A new virus, CommWarrior.a, is the first to replicate over MMS (Multimedia Message Service). From the article: 'Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.', and '"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.'"

44 of 179 comments (clear)

  1. First AV As well... by RobertTaylor · · Score: 3, Informative

    The first virus... but lucky there is already anti virus software out there for your p910 :)

    1. Re:First AV As well... by tabkey12 · · Score: 2, Interesting
      Please no...

      Why is Symbian so insecure - surely an embedded OS is not difficult to harden? It is not as if the phone will be running lots of insecure services by default.

      Another reason to stick with my simple phone!

      --
      Get a free iPod Nano 4GB!
  2. Well by Anonymous Coward · · Score: 3, Funny

    It's a good thing I have no friends then.

  3. another good reason to have a simple cellphone by Anonymous Coward · · Score: 5, Insightful

    All of my coworkers laugh at me for using such a simple phone with only basic features and services. Guess there are some benefits afterall.

    1. Re:another good reason to have a simple cellphone by Anonymous Coward · · Score: 2, Funny

      Actually, we laugh at you for OTHER reasons, but if you want to believe it's your crappy phone, go ahead.

    2. Re:another good reason to have a simple cellphone by dapsie · · Score: 2, Insightful

      You do realize that you have to accept the file and confirm that you wish to install the application? It doesn't spread without actually being installed. The same with the BlueTooth "viruses", first you have to accept the Bluetooth connection - then you have to accept to install the file that was sent to you. No different than eMail viruses nowadays, if you get one - you're an idiot, sorry :p

    3. Re:another good reason to have a simple cellphone by gl4ss · · Score: 3, Insightful

      1: you can keep the mms settings off - there by being immune from this.
      2: you need go through the installing of the application yourself.
      3: when installing it warns you that it is not signed and potentially unsafe.
      4: you could get one of the antivirus solutions which mostly are snakeoil(because if you are smart enough to install one.. wouldn't you be smart enough to NOT click through the install?).

      the way this is most probable to spread is by intentional spreding by some kids, like other symbian 'viruses'(they're all programs that you have to click through the install by yourself) it's almost impossible to bump into this by total accident in the wild.

      what's to note is that these symbian phones are open in the same sense a pc is - ANYONE can develope anything they want for them(and they're STILL more secure than a pc with the modem plugged to the wall). including you! if you're a nerd you should appreciate that possibility, if you're not wtf you're doing on slashdot anyways?

      --
      world was created 5 seconds before this post as it is.
    4. Re:another good reason to have a simple cellphone by kamileon · · Score: 2, Funny

      A lot of people laugh at me for using a manual typewriter and correction fluid, and sending letters via snail mail, but I've never gotten a virus. Except when my aunt Chloe sneezed on that postcard.... Guess there are some benefits after all. ^_^

      (Sure, you're safer, but most people prefer functionality over safety. I'll keep my WAP browser and Bluetooth contact synchronization, thank you very much, even with the gaping hole in Bluetooth.)

      --
      To truly understand recursion, you must first truly understand recursion.
  4. Liability by Thnikkaman · · Score: 4, Insightful

    I wonder if this falls under the protection of the service provider. It seems to me that they shouldn't be able to charge the user for a vulnerability on their part, but what companies should do and what they actually do are very different things.

    --
    Four roommates. No microwave. You do the math.
    1. Re:Liability by hikerhat · · Score: 2, Insightful
      I was thinking the same thing. It should be like a credit card, where you aren't liable for more than $50 or so of fraudulant charges if you card is stolen.

      But my cell phone is about 5 years old now, so I don't have to worry about these things.

  5. It's a bit offtopic, but.. by lordsilence · · Score: 2, Interesting

    I'd like to know why those MMS and SMS are priced the way they are?
    Why wont anyone allow a flat-rate service? I mean.. it's data, but Im sure the cost of building the cellular networks should be paid off by now (excluding 3G).. at least here in sweden. (dont know how it's worldwide)

    1. Re:It's a bit offtopic, but.. by hsmith · · Score: 4, Insightful

      Why? Because it is PURE profit right now, if everyone is charging the same, they all can milk users while they can. One day it will be competitive, right now they all "agree" to keep prices high to rip off users. Do you really think SMS messages cost the $.20 they do to send? of course not. $.01 would be expensive still.

    2. Re:It's a bit offtopic, but.. by Turn-X+Alphonse · · Score: 2, Insightful

      the current price is what 12 year old girls find acceptable... they are happy to pay it so why reduce profits?

      --
      I like muppets.
  6. Eh.. by Eric(b0mb)Dennis · · Score: 3, Interesting

    So, the question is...

    Are the customers reponsible for all the charges incurred from this virus? Being that it probably uses a flaw in the phone's OS itself.. how is this going to work?

    Nobody is going to want fancy new fangled smart-phones if they get infected with viruses and run up your phone bill monthly..

    --
    Excuse me, I don't mean to impose, but I am the ocean
    1. Re:Eh.. by plover · · Score: 4, Insightful
      If I had a phone like this and it was infected, and it ran up a huge bill, I'd first talk to my service provider. If they refused to waive the charges, I'd then talk to the cell phone manufacturer.

      Seems like the cell providers could kill this quickly. Can't they recognize the virus signature in the messages that are transmitted? And can't they trace them back through the links to find out where it originated? Are there really holes that big allowing people to upload crap like this anonymously?

      --
      John
  7. If the virus sends a relatively uniform... by HaloZero · · Score: 4, Interesting

    ...message, on an already well known-format, shouldn't it be possible for service providers to block the messages through the MMS MX handlers? And/or simply not bill the customer for the sum of messages sent with that format. Of course, isolate them from the network if possible (remove their permission to emit MMS messages at the MX) until the malware can be removed from their device. Just a thought. Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.

    --
    Informatus Technologicus
    1. Re:If the virus sends a relatively uniform... by Capt'n+Hector · · Score: 4, Funny
      "Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better."

      Yeah, god forbid a cellphone company take advantage of unsavvy customers....

      --
      Quid festinatio swallonis est aetherfuga inonusti?
      Africus aut Europaeus?
    2. Re:If the virus sends a relatively uniform... by plover · · Score: 5, Insightful
      It's not in the short-term best interests of the cellular providers to block the virus. First, it involves acknowledging the virus exists, which tends to scare people. Next, and here's the cynical greedy part, people who blindly pay their cell phone bills every month without complaint make up a large part of their customer base. If they can make a few million dollars off the virus, where's the incentive to shut it down? Willingly give out reimbursements to anyone who complains, but let the rest of them just continue to fork over cash.

      Sorry to be so cynical, but I just see these "services" (and all cell phone costs) as tremendously overpriced. It's just data. The bandwidth has a fixed cost (it's just the sum of maintenance, capital investments, marketing, etc.) Throw in 10% or 20% over cost for a profit margin, and call it done. But no, they have to have "minutes" and "plans" and "packages", all of which are expressly designed to mislead the buyers into spending as much money as possible, regardless of the amount of "service" they "consume." And we, the sheeple, consume it readily.

      --
      John
  8. Wow! by FreeLinux · · Score: 4, Insightful

    What a remarkable "coincidence".

    I never put any credence into the ativirus companies writing viruses conspiracy theories but, that one's just too fishy.

  9. Trojan not virus by lxdbxr · · Score: 5, Informative
    I know the nomenclature is largely ignored nowadays, but I would call this a trojan not a virus since it requires the user to run it to start spreading: Quote from the ZDNet version of the story:
    A recipient also has to accept and download CommWarrior in order for the Trojan to launch itself.
    It's not like it starts running as soon as you open the MMS message; you actually have to take steps to run the application contained in the message. Of course some people will run anything...
    --
    -- Nothing unusual happened today
    1. Re:Trojan not virus by ms139us · · Score: 2, Informative

      Parent is correct. Has anyone on slashdot ever tried to install unsigned software on a Symbian device?

      It is littered with warnings and confirmation screens. Anyone who got this virus had to endure the installation process confirmations. It is worse than a EULA.

      I find that I lack sympathy for a user who repeatedly selected "ok" and "continue" after being warned that this software cannot be verified -- software that arrived unsolicited.

      It takes a whole new kind of inattention to allow this virus to spread.

    2. Re:Trojan not virus by Anonymous Coward · · Score: 2, Informative

      A trojan is NOT necessarily a virus. Here's the difference:

      A trojan is a piece of software that contains malicious code, which COULD be a virus or worm, but it is not necessary. It could simply do something nasty without spreading.

      A virus is a piece of malicious code that attaches itself to another program. Just like biological viruses infect cells to reproduce.

      A worm is a piece of malicious code that simply replicates. For example the original Internet worm broke into other systems and executed itself from the new host to spread further. It did not attach itself to other programs.

  10. Viruses by zecg · · Score: 2, Funny

    Anti-virus software is a sign of platform's maturity... a sort of an OS Bar Mitzvah. There are probably Nokia engineers working on new worms, tightly collaborating with their anti-virus engineers.

    --
    .i lu doi ringos.star. xu do puku'aroroi dunli dopecaku leni virnu li'u
  11. Re:LOL by WormholeFiend · · Score: 2, Funny

    Here's an old school idea that doesn't get viruses and doesn't cost nearly as much.

    Ha! When I was your age, "old school" meant using a rotary dial, pulse landline.

  12. Well at least there's one alternative by PsychicX · · Score: 4, Funny

    Get a Windows CE phone :)

  13. Should this cost consumers? by junkcannibal · · Score: 4, Insightful

    It seems to me that since most people get their phones for free when they sign up for a plan, the cell phone companies should bear the cost of this virus. This cost will inevitably be passed on the the concumers. My point is that it should be the responsibility of the cell phone companies to keep their products and their networks free of viruses. Dwight Yokel BEEP BEEPING his neighbor in the next trailer over, should not be expected to pay and money or attention to this sort of concern or worry about extra charges on his bill because his cell phone company runs a flawed service.

  14. Just don't install stuff you got over mms from.. by gl4ss · · Score: 2, Interesting

    someone you didn't expect to get it from.

    this needs manual installation by the 'victim'!

    not very likely to spread too far either - a lot of people don't have even the mms settings in place.

    --
    world was created 5 seconds before this post as it is.
  15. Time to rob the rich and give to the...rich by CDOS_CDOS+run · · Score: 2, Funny

    What was Paris's #, I need to send her a mms message.

  16. Looks like a trojan, not a virus by bojanb · · Score: 4, Interesting

    From TFA:
    CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.

    Doesn't really seem this is Symbian's fault, CommWarrior just behaves like a malicious application. The user obviously has to install it and then run it to get 0wned.

    Of course, some sort of sandbox environment like in Microedition Java would have been a better design, but I guess Symbian simply wasn't built with something like this in mind. I know Nokia is pushing a model where only certified developers will be allowed to write applications that access sensitive functionality (dialing numbers, sending messages, etc.), but this is not a great solution. It will drive the cost of applications way up, and shaft all the small app developers, because only the big guys will have their apps signed by Nokia.

    1. Re:Looks like a trojan, not a virus by enjo13 · · Score: 2, Informative

      That effort is actually being driven by Symbian. Accessing sensitive information on both future UIQ and Series 60 (And any other Symbian derivative that pops up) will require priviliges via signing.

      --
      Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
  17. hehe by Turn-X+Alphonse · · Score: 2, Informative

    When will people learn the more features something has the more holes it has in it. My cellphone can take calls and text, doesn't even display colour but if I have a car accident or I get injured it'll do the job just as well as any "3G super mega hyper magical edition" phone.

    Maybe people need to learn that the home phone is better for calling friends and mobiles are mostly for emergencies and when someone needs to urgently contact you..

    --
    I like muppets.
  18. Re:Sure would like a link... by Shachaf · · Score: 2, Informative

    There is a link. It's at the top: CommWarrior.a.

  19. Re:That sucks, yeah, but look at the bright side! by cayenne8 · · Score: 2, Insightful

    Can someone clue me in as to what this SMS and messaging is all for?? If you have a phone...why send text messages over it? It's a phone...call and talk to them....??

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  20. Um...it's transmitting by SamMichaels · · Score: 4, Interesting

    Perhaps I mis-RTFA or just don't understand MMS, but whenever my mobile is active it causes amplifier noise (talk or send/receive SMS). CDMA or GSM. Computer speakers, car stereo, whatever. Wouldn't a constant transmission be noticable?

  21. Kind of depressing isn't it? by hey! · · Score: 2, Insightful

    I mean, the RFCs for MIME came out, what twelve years ago? Injudicious MIME implementations have been vectoring trojans ever since.

    So, you'd think they'd have taken a lesson from a decade of history and limited the power of multimedia attachments.

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  22. Re:Just don't install stuff you got over mms from. by d95adam · · Score: 3, Interesting

    ...but the text in the MMS says: "Your cell phone clock may be wrong. Would you like to keep it accurate?"

  23. This issue is easily solved by harshaw · · Score: 3, Interesting

    Modern phone operating systems have security features built in where the application installer will only allow *signed* applications to be installed. A virus / trojan wouldn't get signed because it has to go through an acceptance program.

    The first Microsoft smartphone product had this feature turned on - normal joe's couldn't install software that hadn't been signed (the signing process usually costs $$ although recent efforts have reduced the cost).

    Symbian *has* the same functionality. In fact, most commercial symbian software should now be signed, see Symbian Signed Symbian also has the functionality to disallow users to install unsigned programs. It is just that this feature is turned off by default (at least on the phones that I have seen).

    Theoretically, all an operator needs to due is send an OTA message to turn on signing verification. This is easily done on a windows mobile and presumable via WAP push on Symbian. We probably will see operators start to turn on signing requirements by default on symbian phones (hopefully with the capability for users to turn it off so they can install freeware if they so choose).

  24. Actually, it may be a good thing. by WindBourne · · Score: 2, Interesting

    All too often, a virus costs somebody time. They are willing to accept it as just a lost of that. Instead, society needs to start accepting that all virus represent lost money. Once they do that, they will start looking for alternatives to where 99.999 % of the virus occur at.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  25. Customers pay, and they should. by huge · · Score: 2, Insightful
    Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.
    I think this should be considered to be no different to internet connection. In this context I'd like to say "PC /w internet connection" == "Mobile".

    If you have a internet connection for which you pay per used bandwidth and you get a virus, do you get refund? You get 0wned and someone uses you as a spam relay, you get black-listed. Should you get refunded?

    No. You should make sure that you have up to date AV running and you have firewall installed and configured. Even if the terminal is more widely spreaded than the internet connections are, and to even more clueless users, it's up to users to make sure that their system is secured.

    Yes, there are ISPs which disconnect infected clients from their network and will not forward virus infected emails, but some of them don't care.

    Of course there will be companies to provide AV and FW applications. Of course they wont be free. But then again, who can blame them. If you want to get it for free do it your self, GPL it and make sure that everyone can enjoy it.
    --
    -- Reality checks don't bounce.
  26. Re:That sucks, yeah, but look at the bright side! by GlassHeart · · Score: 2, Interesting

    With most providers, voice calls are a lot more expensive than SMS. In many countries, this price difference is significant enough to suffer the relative inconvenience. Messaging also has the somewhat unintended feature of being quiet to send, so it's more polite to use in public.

  27. Re:That sucks, yeah, but look at the bright side! by ambrosen · · Score: 2, Insightful
    Why send texts? Because it doesn't require all the "Hi, how are you?, How's the weather"..."Bye, nice talking to you, see you soon" effort, and it doesn't interrupt the flow of what either of you were doing.

    But you knew that anyway.

  28. Re:Just don't install stuff you got over mms from. by xnode · · Score: 2, Interesting

    Unfortunately I had to review my opinions about people having to be stupid to accept unknown software.

    Well, anyways there is times when people except messages from certain providers. Like when people are arrive to a new country they are quite accustomed to a welcome to a new country messages.

    As an example I know a case where one of our customers did accept Cabir over bluetooth because it was send with a sender name of a local operator. Unfortunatily I can't see a difference in a MMS case. User that thinks that he's getting updates/welcome message for his current country propably will accept the message.

    And for the last part.... at least in Finland most new user will have MMS settings in place (i.e. they may get them automatically depending on the operator).

    --
    .... it's coming ...
  29. Already being filtered by Jacco+de+Leeuw · · Score: 2, Interesting

    The telecom operators are already filtering these infected MMS messages.

    The only problem is indeed the cost of sending these messages. I do hope that operators are not charging customers for these undelivered messages.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
  30. Europe by grahamsz · · Score: 2, Informative

    In most of europe cellphones are essentially premuim rate numbers. Unlike the US where the cellphone holder pays for every minute, europeans place the cost burden on the person making the call.

    Typically these rates aren't too bad, but when you start calling from one network to another they can get VERY high. In the UK I would pay close to 1$US/minute to call from orange -> tmobile.

    Text messages are generally very cheap and practical. Plus they are better for communicating certain types of information since you have a record of it. Not to mention the privacy issue of being able to text when you are in a meeting at work or in a resturant.

    On top of that you can IM with people on their computers.