1. MALWARE
S MOBILE
GOE
BY MIKKO HYPPONEN
Computer viruses are now airborne,
infecting mobile phones in every part
of the globe. Security companies,
cellular operators and phone makers
are moving to quash these threats
before they spiral out of control
T
he day the computer security community
had anticipated for years finally arrived in
June 2004. I and other researchers who
study malicious forms of software knew
that it was only a matter of time until such
malware appeared on mobile phones as well. As cell
phones have evolved into smartphones — able to
download programs from the Internet and share
software with one another through short-range
Bluetooth connections, worldwide multimedia
messaging service (MMS) communications and
memory cards — the devices’ novel capabilities have
created new vulnerabilities. Scoundrels were bound
to find the weaknesses and exploit them for mis-
chief or, worse, for criminal gain.
Sure enough, three summers ago security ex-
perts found the first rogue program written spe-
cifically for smartphones. Dubbed Cabir, it was a
classic proof-of-concept virus, clearly created to
70 SCIENTIFIC A MERIC A N NOV EMBER 2006
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
2. INFECTION of one smartphone by malicious software — malware —
could bring down others in a domino effect.
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
3. SMARTPHONES ON THE RISE
Units Sold, Worldwide (millions)
15
MORE PHONES, MORE TARGETS
The number of smart mobile devices
in the world has expanded dramatically 10
in recent years, and so has the amount
of malware set loose to attack them.
That mix is a recipe for disaster: as the 5
size of a target audience increases, so,
too, does the likelihood that miscreant
programmers will attack it. And 0
audience size is expected to soar in Quarter 1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
the years ahead. Industry analysts 2003 2004 2005 2006
predict that more than 200 million
smartphones will be sold in 2009.
GROWTH IN MOBILE MALWARE
350
Cumulative Number of Known Malware Programs
capture bragging rights. It caused no
300
damage to an infected device, other
than running down the phone’s battery 250
as the virus tried to copy itself to an-
200
other smartphone by opening a Blue-
tooth connection. The anonymous au- 150
thor, most likely somewhere in Spain,
100
chose to post Cabir on a Web site rather
than releasing it into the wild. But with- 50
in two months other scofflaws had
0
turned it loose in Southeast Asia. It soon
June 06
Aug. 06
March 06
June 04
June 05
Dec. 04
Dec. 05
Sept. 04
Sept. 05
March 05
spread worldwide.
M I R A C L E S T U D I O S ( p r e c e d i n g p a g e s a n d o p p o s i t e p a g e) ; L U C Y R E A D I N G - I K K A N D A ( t h i s p a g e) ;
Even though we had been on the
lookout for viruses such as Cabir, secu-
rity experts were not fully prepared to like a computer virus that can be ob- our office building and posted a guard at
S O U R C E S : C A N A LY S ( t o p g r a p h) A N D F - S E C U R E S E C U R I T Y R E S E A R C H ( b o t t o m g r a p h)
deal with it. As soon as the alert was served and dissected on a machine that the door before turning them on, lest an
sounded, my co-workers and I at F-Se- is disconnected from any network, wire- unsuspecting employee walk in and catch
cure, a computer security firm, started less malware can spread— in some cases, the bug. Later that year F-Secure built
inspecting the new virus, which was a even make transoceanic leaps — the mo- two aluminum-and-copper-encased lab-
type known as a worm [see box on op- ment the infected phone is powered up. oratories, impenetrable to radio waves,
posite page for definitions of terms]. So we took four cell phones hit by to study this contagious new form of
But we had no safe place to study it; un- Cabir to the basement bomb shelter in malware.
Although the initial version of Cabir
Overview/Imperiled Phones was relatively innocuous, some unscru-
pulous malware writers rushed to mod-
■ The first malicious software aimed at smartphones hit in 2004. Smartphones ify it into forms that are more virulent
are mobile phones that permit users to install software applications from and damaging, while others began
sources other than the cellular network operator. crafting novel kinds of attacks. Mobile
■ Today more than 300 kinds of malware — among them worms, Trojan horses, viruses on the loose now can completely
other viruses and spyware — have been unleashed against the devices. disable a phone, delete the data on it or
■ As sales of such sophisticated phones soar worldwide, the stage is being set force the device to send costly messages
for the massive spread of malware. Steps are being taken to prevent that to premium-priced numbers. Within
scenario, but the opportunity to block the onslaught is unlikely to last long. two years the number of viruses target-
ing smartphones soared from one to
72 SCIENTIFIC A MERIC A N NOV EMBER 2006
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
4. more than 200, a rate of growth that
roughly paralleled that of computer vi-
ruses in the first two years after the first
PC virus, called Brain, was released
in 1986.
Despite Herculean efforts to rein it
Smartphones could in the
in, PC malware continues at a gallop:
more than 200,000 forms have been very near future make up
identified so far, and today an unpro-
tected PC is often infected within min- most of the world’s computers.
utes of connecting to the Internet. The
economic costs of the 20-year onslaught
have been steep, and they are spiraling tions of smartphones that run more vices accrete more PC-like functionality.
higher as old-school malware written open operating systems, Web browsers, At the same time that smartphones have
for glory has given way to a new era of e-mail and other messaging clients and begun sporting features such as video
“crimeware” designed for spamming, that contain Flash memory card readers cameras, GPS navigation and MP3 play-
data theft or extortion. and short-range Bluetooth radios. Each ers, their prices have dropped — subsi-
Mobile malware, though little more of these features offers a conduit through dized in part by network operators, who
than a nuisance today, could quickly es- which malware can propagate. hope the new capabilities will encour-
calate into an even more formidable Bluetooth, for example, allows cer- age customers to spend more on cellular
problem than PC malware in the years tain mobile worms to spread among vul- services. Manufacturers sold more than
ahead unless the security community, nerable phones by mere proximity, al- 40 million smartphones last year, and
cellular network operators, smartphone most like the influenza virus. A Blue- industry analysts expect to see 350 mil-
designers and phone users all work to- tooth-equipped smartphone can identify lion units in service by 2009.
gether to hold it in check. The history of and exchange files with other Bluetooth In the medium term, these devices
PC malware is humbling, but it offers devices from a distance of 10 meters or may be adopted most quickly in emerg-
lessons that will help us to anticipate more. As victims travel, their phones can ing economies, where computer owner-
some of the ways in which mobile virus leave a trail of infected bystanders in
writers will strike next and to take steps their wake. And any event that attracts
to thwart them. a large crowd presents a perfect breeding
ground for Bluetooth viruses.
A Malware Primer
A Rising Tide A particularly nasty form of Cabir, PHISHING SCAM
i n 19 8 8 many computer experts dis- for example, spread so rapidly through Fraudulent Web page, e-mail or text
missed viruses as inconsequential novel- the audience at the 2005 world track and message that entices the unwary
ties. That assessment proved regrettably field championships in Helsinki that sta- to reveal passwords, financial details
or other private data.
naive. For mobile malware, the time is dium operators flashed warnings on the
now 1988, and we have a brief window big screen. Most smartphones can put SPYWARE
in which to act to avoid repeating the Bluetooth into a “nondiscoverable” mode Software that reveals private
mistakes of the past. that protects them from invasion by information about the user or
One such mistake was to underesti- worms. But few users avail themselves of computer system to eavesdroppers.
mate how quickly malware would grow this feature. While giving a talk at a TROJAN HORSE
in prevalence, diversity and sophistica- computer security conference this spring, A program that purports to be
tion. Prevalence is a function of both the I conducted a quick scan of the room useful but actually harbors hidden
population of potential hosts for virtual and found that almost half the profes- malicious code.
pathogens and of their rate of infection. sionals in the audience had left the Blue- VIRUS
The target population for malicious mo- tooth radios in their phones wide open. Originally, computer code that inserts
bile software is enormous and growing The proportion is even higher among the itself into another program and
by leaps. There are now more than two general population, so these devices of- replicates when the host software
billion mobile phones in the world. fer a disturbingly effective vector for in- runs. Now often used as a generic
It is true that the great majority of visible parasites. term that also includes Trojan horses
and worms.
these are older cell phones running And this host population is growing
closed, proprietary operating systems rapidly. Smartphones got started as ex- WORM
that are largely immune from viral infec- pensive business models, but their pop- Self-replicating code that auto-
tion. But customers are quickly aban- ularity with consumers has recently matically spreads across a network.
doning these devices for newer genera- taken off. With each generation the de-
w w w. s c ia m . c o m SCIENTIFIC A MERIC A N 73
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
5. ANATOMY OF AN ATTACK
Even an astute person
can fall victim to a well-
designed mobile worm,
1 As Bob boards a bus, his smartphone beeps.
Another phone in the vehicle is carrying
CommWarrior.Q, which is attempting to copy itself
2 Bob’s phone alerts him that it is
about to receive a file and asks his
permission to accept the transmission.
such as CommWarrior. onto Bob’s phone via Bluetooth.
Some 15 variants of this
worm have been seen
since the malware was
first spotted in March
2005. CommWarrior
exploits the Bluetooth
user interface to
persuade victims to
install the malware on
their phones. Once
active, it can spread
rapidly via Bluetooth
connections, multimedia
(MMS) messages and
memory cards.
4 Bob needs to make an urgent call so he finally
answers “yes” to the transmission query
and to the installation and security queries after it.
5 Comm-
Warrior.Q
begins
His phone now becomes infected. If Bob should scanning
place his phone’s memory card into another phone for other
to transfer an application, the second device would Bluetooth
become infected. devices
nearby and
attempts to
copy itself
onto any
it finds,
sometimes
onto several
at once.
7 The worm now sends MMS copies of itself to every mobile
number in Alice’s address book, along with a text message
cunningly assembled from past messages Alice has sent.
74 SCIENTIFIC A MERIC A N NOV EMBER 2006
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
6. ship is still relatively low. Research by ca, Japan and South Korea. Cellular
Canalys, a high-tech consultancy near operators in North America have spread
3 Suspicious, Bob answers “no.” The phone simply
beeps and repeats the question. As long as he
answers “no,” Bob cannot make a call, send
Reading, England, found that smart- their markets more equally across the
phone sales in the first quarter of this various platforms. The Japanese and
messages or use any other software on his phone. year grew twice as fast in eastern Eu- Korean markets were dominated for a
rope, Africa and the Middle East as they long time by Linux-based phones, and
did in western Europe. Industry ana- carriers there heavily restrict the types
lysts predict that some developing na- of applications that users can install on
tions will choose to forgo construction their phones.
of a wired Internet infrastructure and Carriers would be wise to begin edu-
will instead upgrade their digital wire- cating cellular customers now about
less networks and promote smartphones how to identify and avoid mobile virus-
as affordable computers. The wireless es, rather than waiting until these infec-
route can be much less expensive to con- tions become epidemic. Phone makers
struct and maintain (and, from a cen- should install antivirus software by de-
sor’s perspective, much easier to moni- fault, just as PC manufacturers now do.
tor and control). And regulators and phone companies
If these forecasts prove accurate, can also help avoid the monoculture
smartphones could in the very near fu- problem that plagues PCs by encourag-
ture make up most of the world’s com- ing a diverse ecosystem for smartphones
puters. And huge populations of users in which no single variety of software
6
who have little or no experience with dominates the market.
Also, when Bob
sends a text computers could soon be surfing the
message to Alice, the Web and sharing files with their phones. From Kicks to Crime
worm immediately They would present mobile malware di v e rsi t y c u ts both ways, of course.
sends Alice a follow- creators with an irresistibly large and Over time malware, too, inevitably mu-
up MMS file contain- unwary target. tates into new species that attack and
ing a copy of the
worm, renamed with One lesson from PC viruses is that subvert useful software in an ever wid-
a plausible file name. the bigger the target, the bigger the at- ening variety of ways. On the PC, the
When Alice opens the traction for nefarious programmers. early viruses were eventually joined by
message, her phone The vast majority of desktop malware Trojans, worms, spyware and most re-
gets infected. works only on the ubiquitous Microsoft cently phishing attacks. Since 2003
Windows operating system. For the much of the new malware appearing on
same reason, nearly all the mobile PCs has been written for profit rather
worms and Trojan horses released so far than for mere mischief. Organized
infect the Symbian operating system, gangs of cyber-criminals now operate
which runs some 70 percent of smart- all over the world. Thieves use crime-
phones worldwide — including phones ware to make money by stealing finan-
made by Nokia, Samsung, Sony Erics- cial data, business secrets or computer
son and Motorola. In contrast, only a resources. Spammers assemble “bot-
few varieties of malware infect Micro- nets” of hacked machines to forward
soft’s PocketPC or Windows Mobile, bulk e-mail and phishing scams. And
Palm’s Treo, or Research in Motion’s blackmailers extort money with threats
BlackBerry devices. The Symbian bias of digital destruction or of virtual block-
partly explains why mobile malware is ades that shut down a company’s Web
currently most prevalent in Europe and or e-mail servers. In some countries, cy-
Southeast Asia, where Symbian is com- ber-criminals are virtually untouchable
monplace, but is rarer in North Ameri- because authorities lack the technical
THE AUTHOR
MIKKO HYPPONEN is chief research officer for F-Secure, a computer security company in
8 Every time Alice replies to a text message,
Helsinki that consults for mobile phone makers and network operators. His team of virus
MIR ACLE S TUDIOS
CommWarrior.Q follows up with an infected fighters has been first to identify and combat dozens of viruses in the 15 years he has
MMS package. Alice’s carrier charges for every MMS worked at F-Secure, including the infamous LoveLetter worm in 2000. A co-author of two
message she sends, so her bill quickly mounts. books on computer security, Hypponen has assisted with investigations by Microsoft, the
U.S. Federal Bureau of Investigation, the U.S. Secret Service and Scotland Yard in the U.K.
w w w. s c ia m . c o m SCIENTIFIC A MERIC A N 75
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
7. to destroy privacy is obvious. Only a
handful of such programs have been
seen as yet. One, called FlexiSpy, peri-
odically and invisibly sends a log of
Computers do not have a built-in phone calls and multimedia messages,
both sent and received, to a third party.
billing system; mobile phones do. The eavesdropper needs to gain physical
access to the phone to download and
The bad guys will exploit this install the spying program.
MIR ACLE S TUDIOS
It may not be long, however, before
feature before long. hackers incorporate this kind of eaves-
dropping behavior into viruses that rep-
licate on their own. With new phones
featuring voice recorder capability,
expertise, resources or will to enforce financial capabilities of mobile phones manufacturers should take extra care to
laws against computer crimes. on the rise, we will have to move rapidly ensure that these features cannot easily
As for-profit virus writing increases, in the next couple of years. Actions now be exploited by malware to record con-
the likelihood of severe mobile malware could thwart mobile malware while it is versations and then beam the recordings
attacks escalates as well. After all, every in its infancy and while smartphone ser- to a snoop.
phone call placed and every text or multi- vices are still fairly flexible in their de- Then there is the surprising fact that
media message sent is also a financial sign. But that window of opportunity not one of the more than 300 forms of
transaction. That opens up a flood of will not stay open for long. mobile malware released as yet exploits
potential earning opportunities for programming bugs or security design
profiteer hackers and virus authors. More Dangers Ahead flaws to insert itself into a vulnerable
Computers do not have a built-in billing t h e r e a s o n f o r h a s t e is clear machine. This has long been a standard
system; mobile phones do. The bad guys when one considers all the ways that modus operandi for many PC viruses
will exploit this feature before long. hackers could— but have yet to — wreak and Trojans.
Indeed, at least one already has. A havoc with smartphones. On personal So far mobile malware writers have
Trojan called RedBrowser sends a con- computers, many of the worst culprits instead relied exclusively on “social en-
tinuous stream of text messages from spread via e-mail or force infected ma- gineering”— in other words, tricking us-
any phone it infects to a number in Rus- chines to spew spam onto the Internet. ers into actively allowing installation of
sia until the user disables the phone. None of the miscreant programs re- the malicious program on their phones.
Each message is charged at a premium leased so far for smartphones capitalize Some camouflage themselves as useful
rate of about five dollars, resulting in on the devices’ ability to send e-mail. It utilities or desirable games. But some,
huge bills for the unfortunate victims. is only a matter of time until malware especially ones like Cabir and Comm-
Some cellular carriers hold their cus- appears that can propagate as e-mail at- Warrior that spread via Bluetooth, do
tomers liable for such unauthorized tachments or can turn phones into spam- not. Many people accept the files even
transactions, and when they do, the sending robots. when the device warns of the security
criminals, who own the premium num- Spyware is another mushrooming risk and gives them a chance to refuse
ber, collect the premium fees. Luckily, problem in the PC arena, and the poten- the foreign software.
RedBrowser has so far only been spot- tial for surreptitious software on phones I and other researchers have asked
ted inside Russia.
Meanwhile service providers in
North American markets are beginning
Some Protective Software for Smartphones
to introduce “mobile wallets.” Custom- COMPANY PROGRAM NAME SUPPORTED OPERATING SYSTEMS
ers will be able to use their phones to
F-Secure Mobile Anti-Virus PocketPC, Symbian, Windows Mobile
transfer funds from their accounts to
others by sending specially formatted Mobile Security Nokia Communicators
text messages. PayPal, a digital payments
firm, offers a similar service that allows McAfee VirusScan Mobile PocketPC, Symbian, Windows Mobile
users to buy items using their phones. Symantec AntiVirus for Handhelds Palm, PocketPC, Windows Mobile
Such services could be of intense interest
to malware authors. Mobile Security Symbian
With both the sophistication of mo-
Trend Micro Mobile Security PocketPC, Symbian, Windows Mobile
bile malware and the technological and
76 SCIENTIFIC A MERIC A N NOV EMBER 2006
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
8. UMTS data networks that their mobile
A Bestiary of Mobile Malware devices use; open Wi-Fi networks have
no such protection. And while some car-
NAME TYPE AND METHOD OF INFECTION EFFECTS riers already filter their MMS streams to
remove messages bearing malicious at-
Cabir Worm. Connects to other Bluetooth Constant Bluetooth scanning tachments, all should do so.
(discovered devices and copies itself drains phone’s battery Some of the biggest phone manufac-
June 2004)
turers have joined the Trusted Comput-
ing Group, which has been hammering
CommWarrior Worm. Replicates via Bluetooth; sends Some users incur a charge out industry standards for microcircuit-
(discovered itself as an MMS file to numbers in for every MMS file the worm
March 2005) phone’s address book and in automatic sends; variants of the worm
ry inside phones that will make it harder
replies to incoming SMS (text) and MMS disable phone entirely for malware to get at sensitive data in the
messages; copies itself to the device’s memory or to hijack its payment
removable memory card and inserts mechanisms. And Symbian recently re-
itself into other program installation leased a new version of its operating sys-
files on phone
tem that does an improved job of pro-
tecting key files and that requires soft-
Doomboot Trojan horse. Pretends to be a version Prevents phone from booting ware authors to obtain digital certificates
(discovered of the Doom 2 video game, enticing and installs Cabir and
from the company. The new Symbian
July 2005) users to download and install it CommWarrior on phone
system refuses to install programs not
accompanied by a certificate. Unless dis-
RedBrowser Trojan horse. Deceptive description on Surreptitiously sends a
abled by a user, the system effectively
(discovered a Web site offering many downloadable stream of text messages, at
February 2006) programs entices users to install this a premium rate of $5 each, excludes all mobile malware discovered
Java program, which runs on hundreds to a phone number in Russia to date.
of phone models Governments could also play a more
constructive role than they have so far.
FlexiSpy Spyware. Internet download, Sends a log of phone calls Even though most countries have passed
(discovered typically installed by someone other and copies of text and MMS laws against hacking both ordinary
March 2006) than phone owner messages to a commercial computers and the computers inside cell
Internet server for viewing phones, enforcement is lax or nonexis-
by a third party
tent in most of the world. Many of the
nations hit hardest so far by mobile mal-
people victimized by such viruses: Why concerned. Antivirus software now ware outbreaks, such as Malaysia, Indo-
did you click “yes”? A common answer available from many companies can im- nesia and the Philippines, do not always
is that they did not at first— they chose munize and disinfect smartphones. Yet collect reliable and timely statistics that
“no.” But then the question immediately few customers have installed such pro- could be helpful for tracking software
reappeared on the screen. A worm, you tection. That needs to change. crimes.
see, does not take no for an answer, and Phones should also incorporate fire- For our part, my team and others in
it gives the user no time to hit the menu wall software that warns the user when the security research community have
option to disable Bluetooth [see box on a program on the phone seizes the initia- been proactively studying Symbian and
pages 74 and 75]. Unfortunately, even tive to open an Internet connection. This PocketPC, looking for vulnerabilities in
the newest versions of most smartphones is an especially important form of pro- the code and in the system designs that
permit the kind of Bluetooth harassment tection for smartphones that can con- might afford entrée to malware. We
that effectively denies a person use of a nect to Wi-Fi (also called 802.11) net- hope to find these holes so that they can
phone until the individual accepts the works and thus directly to the public be patched before the bad guys exploit
file transfer (or until the user walks out Internet. Many cellular companies ag- them in the inevitable next round of this
of range of whatever infected device is gressively filter traffic on the GPRS or constant battle.
sending the request— although few peo-
ple realize they have this option). MORE TO EXPLORE
Mobile Phones as Computing Devices: The Viruses Are Coming! David Dagon, Tom Martin and
Staying a Step Ahead Thad Starner in IEEE Pervasive Computing, Vol. 3, No. 4, pages 11–15; October–December 2004.
t h e o n ly h op e of stopping mobile Mobile Phones: The Next Frontier for Hackers? Neal Leavitt in Computer, Vol. 38, No. 4,
malware before it seriously degrades the pages 20–23; April 2005.
utility and value of smartphones is quick Mikko Hypponen and his teammates blog at www.f-secure.com/weblog/
and concerted action on the part of all Trusted Computing Group: www.trustedcomputinggroup.org/groups/mobile
w w w. s c ia m . c o m SCIENTIFIC A MERIC A N 77
COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.