MALWARE S MOBILEGOE BY MIKKO HYPPONENComputer viruses are now airborne,infecting mobile phones in every partof the globe. Security companies,cellular operators and phone makersare moving to quash these threatsbefore they spiral out of controlT he day the computer security community had anticipated for years ﬁnally arrived in June 2004. I and other researchers who study malicious forms of software knew that it was only a matter of time until suchmalware appeared on mobile phones as well. As cellphones have evolved into smartphones — able todownload programs from the Internet and sharesoftware with one another through short-rangeBluetooth connections, worldwide multimediamessaging service (MMS) communications andmemory cards — the devices’ novel capabilities havecreated new vulnerabilities. Scoundrels were boundto ﬁnd the weaknesses and exploit them for mis-chief or, worse, for criminal gain. Sure enough, three summers ago security ex-perts found the ﬁrst rogue program written spe-ciﬁcally for smartphones. Dubbed Cabir, it was aclassic proof-of-concept virus, clearly created to70 SCIENTIFIC A MERIC A N NOV EMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
INFECTION of one smartphone by malicious software — malware — could bring down others in a domino effect.COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
SMARTPHONES ON THE RISE Units Sold, Worldwide (millions) 15 MORE PHONES, MORE TARGETS The number of smart mobile devices in the world has expanded dramatically 10 in recent years, and so has the amount of malware set loose to attack them. That mix is a recipe for disaster: as the 5 size of a target audience increases, so, too, does the likelihood that miscreant programmers will attack it. And 0 audience size is expected to soar in Quarter 1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 the years ahead. Industry analysts 2003 2004 2005 2006 predict that more than 200 million smartphones will be sold in 2009. GROWTH IN MOBILE MALWARE 350 Cumulative Number of Known Malware Programs capture bragging rights. It caused no 300 damage to an infected device, other than running down the phone’s battery 250 as the virus tried to copy itself to an- 200 other smartphone by opening a Blue- tooth connection. The anonymous au- 150 thor, most likely somewhere in Spain, 100 chose to post Cabir on a Web site rather than releasing it into the wild. But with- 50 in two months other scofflaws had 0 turned it loose in Southeast Asia. It soon June 06 Aug. 06 March 06 June 04 June 05 Dec. 04 Dec. 05 Sept. 04 Sept. 05 March 05 spread worldwide. M I R A C L E S T U D I O S ( p r e c e d i n g p a g e s a n d o p p o s i t e p a g e) ; L U C Y R E A D I N G - I K K A N D A ( t h i s p a g e) ; Even though we had been on the lookout for viruses such as Cabir, secu- rity experts were not fully prepared to like a computer virus that can be ob- our ofﬁce building and posted a guard at S O U R C E S : C A N A LY S ( t o p g r a p h) A N D F - S E C U R E S E C U R I T Y R E S E A R C H ( b o t t o m g r a p h) deal with it. As soon as the alert was served and dissected on a machine that the door before turning them on, lest an sounded, my co-workers and I at F-Se- is disconnected from any network, wire- unsuspecting employee walk in and catch cure, a computer security ﬁrm, started less malware can spread— in some cases, the bug. Later that year F-Secure built inspecting the new virus, which was a even make transoceanic leaps — the mo- two aluminum-and-copper-encased lab- type known as a worm [see box on op- ment the infected phone is powered up. oratories, impenetrable to radio waves, posite page for deﬁnitions of terms]. So we took four cell phones hit by to study this contagious new form of But we had no safe place to study it; un- Cabir to the basement bomb shelter in malware. Although the initial version of CabirOverview/Imperiled Phones was relatively innocuous, some unscru- pulous malware writers rushed to mod- ■ The ﬁrst malicious software aimed at smartphones hit in 2004. Smartphones ify it into forms that are more virulent are mobile phones that permit users to install software applications from and damaging, while others began sources other than the cellular network operator. crafting novel kinds of attacks. Mobile ■ Today more than 300 kinds of malware — among them worms, Trojan horses, viruses on the loose now can completely other viruses and spyware — have been unleashed against the devices. disable a phone, delete the data on it or ■ As sales of such sophisticated phones soar worldwide, the stage is being set force the device to send costly messages for the massive spread of malware. Steps are being taken to prevent that to premium-priced numbers. Within scenario, but the opportunity to block the onslaught is unlikely to last long. two years the number of viruses target- ing smartphones soared from one to 72 SCIENTIFIC A MERIC A N NOV EMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
more than 200, a rate of growth that roughly paralleled that of computer vi- ruses in the ﬁrst two years after the ﬁrst PC virus, called Brain, was released in 1986. Despite Herculean efforts to rein it Smartphones could in the in, PC malware continues at a gallop: more than 200,000 forms have been very near future make up identiﬁed so far, and today an unpro- tected PC is often infected within min- most of the world’s computers. utes of connecting to the Internet. The economic costs of the 20-year onslaught have been steep, and they are spiraling tions of smartphones that run more vices accrete more PC-like functionality. higher as old-school malware written open operating systems, Web browsers, At the same time that smartphones have for glory has given way to a new era of e-mail and other messaging clients and begun sporting features such as video“crimeware” designed for spamming, that contain Flash memory card readers cameras, GPS navigation and MP3 play- data theft or extortion. and short-range Bluetooth radios. Each ers, their prices have dropped — subsi- Mobile malware, though little more of these features offers a conduit through dized in part by network operators, who than a nuisance today, could quickly es- which malware can propagate. hope the new capabilities will encour- calate into an even more formidable Bluetooth, for example, allows cer- age customers to spend more on cellular problem than PC malware in the years tain mobile worms to spread among vul- services. Manufacturers sold more than ahead unless the security community, nerable phones by mere proximity, al- 40 million smartphones last year, and cellular network operators, smartphone most like the inﬂuenza virus. A Blue- industry analysts expect to see 350 mil- designers and phone users all work to- tooth-equipped smartphone can identify lion units in service by 2009. gether to hold it in check. The history of and exchange ﬁles with other Bluetooth In the medium term, these devices PC malware is humbling, but it offers devices from a distance of 10 meters or may be adopted most quickly in emerg- lessons that will help us to anticipate more. As victims travel, their phones can ing economies, where computer owner- some of the ways in which mobile virus leave a trail of infected bystanders in writers will strike next and to take steps their wake. And any event that attracts to thwart them. a large crowd presents a perfect breeding ground for Bluetooth viruses. A Malware PrimerA Rising Tide A particularly nasty form of Cabir, PHISHING SCAMi n 19 8 8 many computer experts dis- for example, spread so rapidly through Fraudulent Web page, e-mail or textmissed viruses as inconsequential novel- the audience at the 2005 world track and message that entices the unwaryties. That assessment proved regrettably ﬁeld championships in Helsinki that sta- to reveal passwords, ﬁnancial details or other private data.naive. For mobile malware, the time is dium operators ﬂashed warnings on thenow 1988, and we have a brief window big screen. Most smartphones can put SPYWAREin which to act to avoid repeating the Bluetooth into a “nondiscoverable” mode Software that reveals privatemistakes of the past. that protects them from invasion by information about the user or One such mistake was to underesti- worms. But few users avail themselves of computer system to eavesdroppers.mate how quickly malware would grow this feature. While giving a talk at a TROJAN HORSEin prevalence, diversity and sophistica- computer security conference this spring, A program that purports to betion. Prevalence is a function of both the I conducted a quick scan of the room useful but actually harbors hiddenpopulation of potential hosts for virtual and found that almost half the profes- malicious code.pathogens and of their rate of infection. sionals in the audience had left the Blue- VIRUSThe target population for malicious mo- tooth radios in their phones wide open. Originally, computer code that insertsbile software is enormous and growing The proportion is even higher among the itself into another program andby leaps. There are now more than two general population, so these devices of- replicates when the host softwarebillion mobile phones in the world. fer a disturbingly effective vector for in- runs. Now often used as a generic It is true that the great majority of visible parasites. term that also includes Trojan horses and worms.these are older cell phones running And this host population is growingclosed, proprietary operating systems rapidly. Smartphones got started as ex- WORMthat are largely immune from viral infec- pensive business models, but their pop- Self-replicating code that auto-tion. But customers are quickly aban- ularity with consumers has recently matically spreads across a network.doning these devices for newer genera- taken off. With each generation the de-w w w. s c ia m . c o m SCIENTIFIC A MERIC A N 73 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
ANATOMY OF AN ATTACK Even an astute person can fall victim to a well- designed mobile worm, 1 As Bob boards a bus, his smartphone beeps. Another phone in the vehicle is carrying CommWarrior.Q, which is attempting to copy itself 2 Bob’s phone alerts him that it is about to receive a ﬁle and asks his permission to accept the transmission. such as CommWarrior. onto Bob’s phone via Bluetooth. Some 15 variants of this worm have been seen since the malware was ﬁrst spotted in March 2005. CommWarrior exploits the Bluetooth user interface to persuade victims to install the malware on their phones. Once active, it can spread rapidly via Bluetooth connections, multimedia (MMS) messages and memory cards. 4 Bob needs to make an urgent call so he ﬁnally answers “yes” to the transmission query and to the installation and security queries after it. 5 Comm- Warrior.Q begins His phone now becomes infected. If Bob should scanning place his phone’s memory card into another phone for other to transfer an application, the second device would Bluetooth become infected. devices nearby and attempts to copy itself onto any it ﬁnds, sometimes onto several at once. 7 The worm now sends MMS copies of itself to every mobile number in Alice’s address book, along with a text message cunningly assembled from past messages Alice has sent.74 SCIENTIFIC A MERIC A N NOV EMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
ship is still relatively low. Research by ca, Japan and South Korea. Cellular Canalys, a high-tech consultancy near operators in North America have spread3 Suspicious, Bob answers “no.” The phone simply beeps and repeats the question. As long as heanswers “no,” Bob cannot make a call, send Reading, England, found that smart- their markets more equally across the phone sales in the ﬁrst quarter of this various platforms. The Japanese andmessages or use any other software on his phone. year grew twice as fast in eastern Eu- Korean markets were dominated for a rope, Africa and the Middle East as they long time by Linux-based phones, and did in western Europe. Industry ana- carriers there heavily restrict the types lysts predict that some developing na- of applications that users can install on tions will choose to forgo construction their phones. of a wired Internet infrastructure and Carriers would be wise to begin edu- will instead upgrade their digital wire- cating cellular customers now about less networks and promote smartphones how to identify and avoid mobile virus- as affordable computers. The wireless es, rather than waiting until these infec- route can be much less expensive to con- tions become epidemic. Phone makers struct and maintain (and, from a cen- should install antivirus software by de- sor’s perspective, much easier to moni- fault, just as PC manufacturers now do. tor and control). And regulators and phone companies If these forecasts prove accurate, can also help avoid the monoculture smartphones could in the very near fu- problem that plagues PCs by encourag- ture make up most of the world’s com- ing a diverse ecosystem for smartphones puters. And huge populations of users in which no single variety of software 6 who have little or no experience with dominates the market. Also, when Bob sends a text computers could soon be surﬁng the message to Alice, the Web and sharing ﬁles with their phones. From Kicks to Crime worm immediately They would present mobile malware di v e rsi t y c u ts both ways, of course. sends Alice a follow- creators with an irresistibly large and Over time malware, too, inevitably mu- up MMS ﬁle contain- unwary target. tates into new species that attack and ing a copy of the worm, renamed with One lesson from PC viruses is that subvert useful software in an ever wid- a plausible ﬁle name. the bigger the target, the bigger the at- ening variety of ways. On the PC, the When Alice opens the traction for nefarious programmers. early viruses were eventually joined by message, her phone The vast majority of desktop malware Trojans, worms, spyware and most re- gets infected. works only on the ubiquitous Microsoft cently phishing attacks. Since 2003 Windows operating system. For the much of the new malware appearing on same reason, nearly all the mobile PCs has been written for proﬁt rather worms and Trojan horses released so far than for mere mischief. Organized infect the Symbian operating system, gangs of cyber-criminals now operate which runs some 70 percent of smart- all over the world. Thieves use crime- phones worldwide — including phones ware to make money by stealing ﬁnan- made by Nokia, Samsung, Sony Erics- cial data, business secrets or computer son and Motorola. In contrast, only a resources. Spammers assemble “bot- few varieties of malware infect Micro- nets” of hacked machines to forward soft’s PocketPC or Windows Mobile, bulk e-mail and phishing scams. And Palm’s Treo, or Research in Motion’s blackmailers extort money with threats BlackBerry devices. The Symbian bias of digital destruction or of virtual block- partly explains why mobile malware is ades that shut down a company’s Web currently most prevalent in Europe and or e-mail servers. In some countries, cy- Southeast Asia, where Symbian is com- ber-criminals are virtually untouchable monplace, but is rarer in North Ameri- because authorities lack the technical THE AUTHOR MIKKO HYPPONEN is chief research ofﬁcer for F-Secure, a computer security company in 8 Every time Alice replies to a text message, Helsinki that consults for mobile phone makers and network operators. His team of virus MIR ACLE S TUDIOS CommWarrior.Q follows up with an infected ﬁghters has been ﬁrst to identify and combat dozens of viruses in the 15 years he has MMS package. Alice’s carrier charges for every MMS worked at F-Secure, including the infamous LoveLetter worm in 2000. A co-author of two message she sends, so her bill quickly mounts. books on computer security, Hypponen has assisted with investigations by Microsoft, the U.S. Federal Bureau of Investigation, the U.S. Secret Service and Scotland Yard in the U.K. w w w. s c ia m . c o m SCIENTIFIC A MERIC A N 75 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
to destroy privacy is obvious. Only a handful of such programs have been seen as yet. One, called FlexiSpy, peri- odically and invisibly sends a log of Computers do not have a built-in phone calls and multimedia messages, both sent and received, to a third party. billing system; mobile phones do. The eavesdropper needs to gain physical access to the phone to download and The bad guys will exploit this install the spying program. MIR ACLE S TUDIOS It may not be long, however, before feature before long. hackers incorporate this kind of eaves- dropping behavior into viruses that rep- licate on their own. With new phones featuring voice recorder capability,expertise, resources or will to enforce ﬁnancial capabilities of mobile phones manufacturers should take extra care tolaws against computer crimes. on the rise, we will have to move rapidly ensure that these features cannot easily As for-proﬁt virus writing increases, in the next couple of years. Actions now be exploited by malware to record con-the likelihood of severe mobile malware could thwart mobile malware while it is versations and then beam the recordingsattacks escalates as well. After all, every in its infancy and while smartphone ser- to a snoop.phone call placed and every text or multi- vices are still fairly ﬂexible in their de- Then there is the surprising fact thatmedia message sent is also a ﬁnancial sign. But that window of opportunity not one of the more than 300 forms oftransaction. That opens up a ﬂood of will not stay open for long. mobile malware released as yet exploitspotential earning opportunities for programming bugs or security designprofiteer hackers and virus authors. More Dangers Ahead ﬂaws to insert itself into a vulnerableComputers do not have a built-in billing t h e r e a s o n f o r h a s t e is clear machine. This has long been a standardsystem; mobile phones do. The bad guys when one considers all the ways that modus operandi for many PC viruseswill exploit this feature before long. hackers could— but have yet to — wreak and Trojans. Indeed, at least one already has. A havoc with smartphones. On personal So far mobile malware writers haveTrojan called RedBrowser sends a con- computers, many of the worst culprits instead relied exclusively on “social en-tinuous stream of text messages from spread via e-mail or force infected ma- gineering”— in other words, tricking us-any phone it infects to a number in Rus- chines to spew spam onto the Internet. ers into actively allowing installation ofsia until the user disables the phone. None of the miscreant programs re- the malicious program on their phones.Each message is charged at a premium leased so far for smartphones capitalize Some camouﬂage themselves as usefulrate of about ﬁve dollars, resulting in on the devices’ ability to send e-mail. It utilities or desirable games. But some,huge bills for the unfortunate victims. is only a matter of time until malware especially ones like Cabir and Comm-Some cellular carriers hold their cus- appears that can propagate as e-mail at- Warrior that spread via Bluetooth, dotomers liable for such unauthorized tachments or can turn phones into spam- not. Many people accept the ﬁles eventransactions, and when they do, the sending robots. when the device warns of the securitycriminals, who own the premium num- Spyware is another mushrooming risk and gives them a chance to refuseber, collect the premium fees. Luckily, problem in the PC arena, and the poten- the foreign software.RedBrowser has so far only been spot- tial for surreptitious software on phones I and other researchers have askedted inside Russia. Meanwhile service providers inNorth American markets are beginning Some Protective Software for Smartphonesto introduce “mobile wallets.” Custom- COMPANY PROGRAM NAME SUPPORTED OPERATING SYSTEMSers will be able to use their phones to F-Secure Mobile Anti-Virus PocketPC, Symbian, Windows Mobiletransfer funds from their accounts toothers by sending specially formatted Mobile Security Nokia Communicatorstext messages. PayPal, a digital paymentsﬁrm, offers a similar service that allows McAfee VirusScan Mobile PocketPC, Symbian, Windows Mobileusers to buy items using their phones. Symantec AntiVirus for Handhelds Palm, PocketPC, Windows MobileSuch services could be of intense interestto malware authors. Mobile Security Symbian With both the sophistication of mo- Trend Micro Mobile Security PocketPC, Symbian, Windows Mobilebile malware and the technological and76 SCIENTIFIC A MERIC A N NOV EMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.
UMTS data networks that their mobile A Bestiary of Mobile Malware devices use; open Wi-Fi networks have no such protection. And while some car- NAME TYPE AND METHOD OF INFECTION EFFECTS riers already ﬁlter their MMS streams to remove messages bearing malicious at- Cabir Worm. Connects to other Bluetooth Constant Bluetooth scanning tachments, all should do so. (discovered devices and copies itself drains phone’s battery Some of the biggest phone manufac- June 2004) turers have joined the Trusted Comput- ing Group, which has been hammering CommWarrior Worm. Replicates via Bluetooth; sends Some users incur a charge out industry standards for microcircuit- (discovered itself as an MMS ﬁle to numbers in for every MMS ﬁle the worm March 2005) phone’s address book and in automatic sends; variants of the worm ry inside phones that will make it harder replies to incoming SMS (text) and MMS disable phone entirely for malware to get at sensitive data in the messages; copies itself to the device’s memory or to hijack its payment removable memory card and inserts mechanisms. And Symbian recently re- itself into other program installation leased a new version of its operating sys- ﬁles on phone tem that does an improved job of pro- tecting key ﬁles and that requires soft- Doomboot Trojan horse. Pretends to be a version Prevents phone from booting ware authors to obtain digital certiﬁcates (discovered of the Doom 2 video game, enticing and installs Cabir and from the company. The new Symbian July 2005) users to download and install it CommWarrior on phone system refuses to install programs not accompanied by a certiﬁcate. Unless dis- RedBrowser Trojan horse. Deceptive description on Surreptitiously sends a abled by a user, the system effectively (discovered a Web site offering many downloadable stream of text messages, at February 2006) programs entices users to install this a premium rate of $5 each, excludes all mobile malware discovered Java program, which runs on hundreds to a phone number in Russia to date. of phone models Governments could also play a more constructive role than they have so far. FlexiSpy Spyware. Internet download, Sends a log of phone calls Even though most countries have passed (discovered typically installed by someone other and copies of text and MMS laws against hacking both ordinary March 2006) than phone owner messages to a commercial computers and the computers inside cell Internet server for viewing phones, enforcement is lax or nonexis- by a third party tent in most of the world. Many of the nations hit hardest so far by mobile mal- people victimized by such viruses: Why concerned. Antivirus software now ware outbreaks, such as Malaysia, Indo- did you click “yes”? A common answer available from many companies can im- nesia and the Philippines, do not always is that they did not at ﬁrst— they chose munize and disinfect smartphones. Yet collect reliable and timely statistics that“no.” But then the question immediately few customers have installed such pro- could be helpful for tracking software reappeared on the screen. A worm, you tection. That needs to change. crimes. see, does not take no for an answer, and Phones should also incorporate ﬁre- For our part, my team and others in it gives the user no time to hit the menu wall software that warns the user when the security research community have option to disable Bluetooth [see box on a program on the phone seizes the initia- been proactively studying Symbian and pages 74 and 75]. Unfortunately, even tive to open an Internet connection. This PocketPC, looking for vulnerabilities in the newest versions of most smartphones is an especially important form of pro- the code and in the system designs that permit the kind of Bluetooth harassment tection for smartphones that can con- might afford entrée to malware. We that effectively denies a person use of a nect to Wi-Fi (also called 802.11) net- hope to ﬁnd these holes so that they can phone until the individual accepts the works and thus directly to the public be patched before the bad guys exploit ﬁle transfer (or until the user walks out Internet. Many cellular companies ag- them in the inevitable next round of this of range of whatever infected device is gressively ﬁlter trafﬁc on the GPRS or constant battle. sending the request— although few peo- ple realize they have this option). MORE TO EXPLORE Mobile Phones as Computing Devices: The Viruses Are Coming! David Dagon, Tom Martin andStaying a Step Ahead Thad Starner in IEEE Pervasive Computing, Vol. 3, No. 4, pages 11–15; October–December 2004.t h e o n ly h op e of stopping mobile Mobile Phones: The Next Frontier for Hackers? Neal Leavitt in Computer, Vol. 38, No. 4,malware before it seriously degrades the pages 20–23; April 2005.utility and value of smartphones is quick Mikko Hypponen and his teammates blog at www.f-secure.com/weblog/and concerted action on the part of all Trusted Computing Group: www.trustedcomputinggroup.org/groups/mobilew w w. s c ia m . c o m SCIENTIFIC A MERIC A N 77 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC.