Are Cell Viruses A Real Threat Now?

Celpha writes "According to security firm F-Secure, a Trojan virus (Cardtrap.A) attacks Symbian mobile phone operating systems, attempting to infect users' PCs if they insert the phone's memory card into their computers. From the article: 'We expect to see more of this on the mobile front,' an F-Secure chief research officer said. Trend Micro issued a media alert stating it is a 'fully functioning' mobile threat. However, Antivirus firm Sophos slams the claim of this first example of a serious mobile malware threat as just plain bonkers."

You better believe it's a threat.

[TripMaster+Monkey]

TrendMicro claims that the Symbos_Cardtrp.A trojan is a "fully functioning threat", while Sophos dissmisses the entire thing as "bonkers". I'm thinking that the truth is rather in the middle.

The Symbos_Cardtrp.A trojan is one of the first clumsy attempts at this sort of thing, but we all know that the malware only gets more sophisticated and polished over time. People certainly should be alarmed about the appearance of this trojan...not because it itself is all that threatening, but because it clearly demonstrates the potential for mischief.

As Raimund Genes, president of the firm's European Operations, said: "This attack is really a proof of concept and may be an indication of a new type of blended threat to come." You can bet that as cellphones become more sophisicated and more interconnected to our computers, malware authors are going to turn this into a genuine threat.

In short, while it's rather sensationalistic to tout this as a "fully functioning threat", claiming that there is nothingto worry about disingenuous in the extreme. Sophos' claim that paying attenton to this threat distracts sysadmins from the "real threat" of attacks on Windows desktops is pure sheepdip. Imagine if we dismissed out of hand the new threat of infection via USB thumbdrives, because we were all too busy paying attention to the "real threat" of infection over the network?

Re:You better believe it's a threat.

[Anonymous+Brave+Guy]

You can bet that as cellphones become more sophisicated and more interconnected to our computers, malware authors are going to turn this into a genuine threat.

An objective observer (which the various anti-virus people probably aren't) might ask why a mobile phone needs to become "more sophisticated" in the first place. My phone was a freebie about four years ago when I signed up, and still has way more features than I ever want or need.

Give me a good phone book feature, voice, text messaging and some sort of answerphone if I can't take a call. I don't need it to be a low quality digital camera, hard-to-use PDA, sub-standard web browser, trivial calculator, poor-capacity MP3 player, pathetically quiet alarm clock, and all the other junk. Nor do I need it to run some super-complicated operating system that's ripe for attacking.

Re:You better believe it's a threat.

[Alistar]

Yea, thats your opinion. I have a Treo and I use the various advanced functions of it everyday, well except the camera, stupid vga camera. The address book, alarms, contacts, mobile e-mail, fairly advanced graphing and calculatory functions, a multitude of clock and timer functions, memos, encrypted memos, having important data with me on the go, editing and reviewing documents, etc. Ill admit, I don't use the camera or music playing capabilities of it, but everything else allows me to stay ahead of problems in my business.

Cell phone viruses??? I'm immune!

Since my phone is so old!

Still works fine though. My cell phone company (Telus, a canadian CDMA company) calls me occasionally to try and sell me a new phone. I keep saying the same thing, "I'd love to buy a new phone. Do you have any phones with infrared?"

The sales rep says, "No."

I say, "Why not? All your competitors sell phones with infrared."

The sales rep says, "I don't know. We have phones with bluetooth though."

I say, "Well, I have a laptop with infrared, and a PDA with infrared, and as soon as Telus sells a phone with infrared, I'll buy it."

The sales rep hangs up.

The only reason I stick with Telus is that I want to keep my number. I can't wait for number portability to begin in Canada...

Got paid to develop Trojans

I got paid by a major company in the mobile field to develop Trojan horses for Java, Symbian, PalmOS and Windows Smartphone.

The goal was not to release "in the wild" but to showcase the need for funding for mobile phone security.

Nevertheless, pretty much nothing has been done even though modern smartphone OSes are incredibly close to allowing excellent OS security (MMU enables kernel / user separation).

It's pretty easy to do fancy stuff once you get in the mindset of an attacker. Like waking up the phone at midnight to place calls to a premium number. One doesn't even need to stack-smash to have fun (that is harder on ARM platforms bc you have to develop your own shellcode anyway).

The problem is especially important for wireless operators because people pay with their mobile phone. While that is the basis of revenue, it also enables major fraud (very much akin to what the "dialer kits" do to modem owners by silently ringing 900 numbers).

Examples:

  * There's a WAP (wireless browsing) service where you can download ringtones for $2. What if a program on your phone starts downloading those silently?

  * In some countries SMS are charged with a premium. What if a program are sending premium SMS without your knowing?

Of course it's also important for users ("what if a Trojan posts my phone book to some website", "what if a Trojan gets my location from the network and gives it to my wife". It's also important for security that the phone not be transformed into a jammer by changes in the radio firmware / software, but that's harder to do.

Hopefully the players involved will wake up before we find a nasty one in the wild.

Re:Still just a trojan...

[FirienFirien]

However, the average phone user is not so virus savvy as the average computer user. To wit, a semi-quoted example from an article from earlier - may have been slashdot, probably wired magazine or similar though.

User gets notification on phone. Accept or reject? Reject.
User gets notification on phone again. Accept or reject? Reject.
Repeat line above a few times. A virus doesn't care about the user rejecting it, and will keep trying to give it. User (hooray for the general public, sigh) eventually presses accept. Granted, this doesn't happen every time... but I bet you know a fair number of people who would, even out of curiosity.

And there's your issue. If this thing keeps popping up on someone's phone - especially if they're trying to do something else, like dial a number - there's a good chance that they'll get irritated enough before moving out of range.

Don't blame the user, they are human.

[BillGodfrey]

(Full article at http://billpg.me.uk/2005/09/barbarians-at-mobile-p hone.html )

Selected extract...

A good model to follow could be something similar to Flash files. Commonly seen used in animations, a program inside a flash file can do a lot. Here's a jigsaw puzzle. Here's a simple arcade game. Here's a collaborative document editing system.

Flash implements a full program language, but the program's wings are clipped. Unlike regular executables, a flash program can't interfere with other programs and it can't mess with files it doesn't own. Add a way allowing programs to interact with other components (including the file system) with a strict and manageable protocol, and there's no big need for any program to run unrestricted. (Except the operating system and the occasional device driver, that is.)