Malware Goes Mobile by Mikko Hypponen

Home , Cabir (computer worm), Mobile malware, Vector (malware)

MALWARE GOES MOBILE BY MIKKO HYPPONEN

Computer viruses are now airborne, infecting mobile phones in every part of the globe. Security companies, cellular operators and phone makers are moving to quash these threats before they spiral out of control

he day the computer security community had anticipated for years finally arrived in June 2004. I and other researchers who study malicious forms of software knew that it was only a matter of time until such T malware appeared on mobile phones as well. As cell phones have evolved into smartphones—able to download programs from the Internet and share software with one another through short-range Bluetooth connections, worldwide multimedia messaging service (MMS) communications and memory cards—the devices’ novel capabilities have created new vulnerabilities. Scoundrels were bound to find the weaknesses and exploit them for mischief or, worse, for criminal gain. Sure enough, three summers ago security experts found the first rogue program written spe- cifically for smartphones. Dubbed Cabir, it was a classic proof-of-concept virus, clearly created to

s) 15 on MORE PHONES, MORE TARGETS

The number of smart mobile devices (milli in the world has expanded dramatically de 10 dwi

in recent years, and so has the amount rl Wo

of malware set loose to attack them. ,

That mix is a recipe for disaster: as the ld 5

size of a target audience increases, so, s So too, does the likelihood that miscreant it Un programmers will attack it. And 0 audience size is expected to soar in Quarter 1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 the years ahead. Industry analysts 2003 2004 2005 2006 predict that more than 200 million smartphones will be sold in 2009. GROWTH IN MOBILE MALWARE

350

capture bragging rights. It caused no ms ra 300 damage to an infected device, other than running down the phone’s battery 250

as the virus tried to copy itself to an- lware Prog 200 other smartphone by opening a Blue- wn Ma

tooth connection. The anonymous au- o 150

thor, most likely somewhere in Spain, Kn 100 chose to post Cabir on a Web site rather of of er

than releasing it into the wild. But with- mb 50

in two months other scofflaws had Nu

ve 0 turned it loose in Southeast Asia. It soon

05 06 04 05 06 . 05 . 04 . ; h 05 h 06 g. spread worldwide. ) pt pt rc rc Au Dec. Dec. ne Ju ne Ju 04 ne Ju Se Se

Even though we had been on the lati mu Cu Ma Ma page lookout for viruses such as Cabir, secu- this ) rity experts were not fully prepared to like a computer virus that can be ob- our ofﬁce building and posted a guard at ( deal with it. As soon as the alert was served and dissected on a machine that the door before turning them on, lest an sounded, my co-workers and I at F-Se- is disconnected from any network, wire- unsuspecting employee walk in and catch

cure, a computer security ﬁrm, started less malware can spread—in some cases, the bug. Later that year F-Secure built bottom graph inspecting the new virus, which was a even make transoceanic leaps—the mo- two aluminum-and-copper-encased lab- type known as a worm [see box on op- ment the infected phone is powered up. oratories, impenetrable to radio waves,

posite page for deﬁnitions of terms]. So we took four cell phones hit by to study this contagious new form of ); LUCY READING-IKKANDA But we had no safe place to study it; un- Cabir to the basement bomb shelter in malware. Although the initial version of Cabir was relatively innocuous, some unscru- Overview/Imperiled Phones opposite page pulous malware writers rushed to mod- and ■ The ﬁrst malicious software aimed at smartphones hit in 2004. Smartphones ify it into forms that are more virulent

are mobile phones that permit users to install software applications from and damaging, while others began ) AND F-SECURE SECURITY RESEARCH ( sources other than the cellular network operator. crafting novel kinds of attacks. Mobile ■ — Today more than 300 kinds of malware among them worms, Trojan horses, viruses on the loose now can completely top graph other viruses and spyware—have been unleashed against the devices. disable a phone, delete the data on it or preceding pages ■ As sales of such sophisticated phones soar worldwide, the stage is being set force the device to send costly messages for the massive spread of malware. Steps are being taken to prevent that to premium-priced numbers. Within scenario, but the opportunity to block the onslaught is unlikely to last long. two years the number of viruses target- MIRACLE STUDIOS ( ing smartphones soared from one to SOURCES: CANALYS (

72 SCIENTIFIC AMERICAN NOVEMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC. more than 200, a rate of growth that roughly paralleled that of computer viruses in the first two years after the first PC virus, called Brain, was released in 1986. Despite Herculean efforts to rein it Smartphones could in the in, PC malware continues at a gallop: more than 200,000 forms have been very near future make up identified so far, and today an unpro- tected PC is often infected within min- most of the world’s computers. utes of connecting to the Internet. The economic costs of the 20-year onslaught have been steep, and they are spiraling tions of smartphones that run more vices accrete more PC-like functionality. higher as old-school malware written open operating systems, Web browsers, At the same time that smartphones have for glory has given way to a new era of e-mail and other messaging clients and begun sporting features such as video “crimeware” designed for spamming, that contain Flash memory card readers cameras, GPS navigation and MP3 play- data theft or extortion. and short-range Bluetooth radios. Each ers, their prices have dropped—subsi- Mobile malware, though little more of these features offers a conduit through dized in part by network operators, who than a nuisance today, could quickly es- which malware can propagate. hope the new capabilities will encour- calate into an even more formidable Bluetooth, for example, allows cer- age customers to spend more on cellular problem than PC malware in the years tain mobile worms to spread among vul- services. Manufacturers sold more than ahead unless the security community, nerable phones by mere proximity, al- 40 million smartphones last year, and cellular network operators, smartphone most like the influenza virus. A Blue- industry analysts expect to see 350 mil- designers and phone users all work to- tooth-equipped smartphone can identify lion units in service by 2009. gether to hold it in check. The history of and exchange files with other Bluetooth In the medium term, these devices PC malware is humbling, but it offers devices from a distance of 10 meters or may be adopted most quickly in emerg- lessons that will help us to anticipate more. As victims travel, their phones can ing economies, where computer owner- some of the ways in which mobile virus leave a trail of infected bystanders in writers will strike next and to take steps their wake. And any event that attracts to thwart them. a large crowd presents a perfect breeding A Malware Primer ground for Bluetooth viruses. A Rising Tide A particularly nasty form of Cabir, PHISHING SCAM i n 1988 many computer experts dis- for example, spread so rapidly through Fraudulent Web page, e-mail or text missed viruses as inconsequential novel- the audience at the 2005 world track and message that entices the unwary ties. That assessment proved regrettably field championships in Helsinki that sta- to reveal passwords, financial details or other private data. naive. For mobile malware, the time is dium operators flashed warnings on the now 1988, and we have a brief window big screen. Most smartphones can put SPYWARE in which to act to avoid repeating the Bluetooth into a “nondiscoverable” mode Software that reveals private mistakes of the past. that protects them from invasion by information about the user or One such mistake was to underesti- worms. But few users avail themselves of computer system to eavesdroppers. mate how quickly malware would grow this feature. While giving a talk at a TROJAN HORSE in prevalence, diversity and sophistica- computer security conference this spring, A program that purports to be tion. Prevalence is a function of both the I conducted a quick scan of the room useful but actually harbors hidden population of potential hosts for virtual and found that almost half the profes- malicious code. pathogens and of their rate of infection. sionals in the audience had left the Blue- VIRUS The target population for malicious mo- tooth radios in their phones wide open. Originally, computer code that inserts bile software is enormous and growing The proportion is even higher among the itself into another program and by leaps. There are now more than two general population, so these devices of- replicates when the host software billion mobile phones in the world. fer a disturbingly effective vector for in- runs. Now often used as a generic It is true that the great majority of visible parasites. term that also includes Trojan horses and worms. these are older cell phones running And this host population is growing closed, proprietary operating systems rapidly. Smartphones got started as ex- WORM that are largely immune from viral infec- pensive business models, but their pop- Self-replicating code that auto- tion. But customers are quickly aban- ularity with consumers has recently matically spreads across a network. doning these devices for newer genera- taken off. With each generation the de-

www.sciam.com SCIENTIFIC AMERICAN 73 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC. ANATOMY OF AN ATTACK Even an astute person As Bob boards a bus, his smartphone beeps. Bob’s phone alerts him that it is can fall victim to a well- 1 Another phone in the vehicle is carrying 2 about to receive a ﬁle and asks his designed mobile worm, CommWarrior.Q, which is attempting to copy itself permission to accept the transmission. such as CommWarrior. onto Bob’s phone via Bluetooth. Some 15 variants of this worm have been seen since the malware was ﬁrst spotted in March 2005. CommWarrior exploits the Bluetooth user interface to persuade victims to install the malware on their phones. Once active, it can spread rapidly via Bluetooth connections, multimedia (MMS) messages and memory cards.

Bob needs to make an urgent call so he finally Comm- Also, when Bob 4 answers “yes” to the transmission query 5 Warrior.Q 6 sends a text and to the installation and security queries after it. begins message to Alice, the His phone now becomes infected. If Bob should scanning worm immediately place his phone’s memory card into another phone for other sends Alice a follow- to transfer an application, the second device would Bluetooth up MMS file contain- become infected. devices ing a copy of the nearby and worm, renamed with attempts to a plausible file name. copy itself When Alice opens the onto any message, her phone it finds, gets infected. sometimes onto several at once.

The worm now sends MMS copies of itself to every mobile 7 number in Alice’s address book, along with a text message cunningly assembled from past messages Alice has sent.

Every time Alice replies to a text message, 8 CommWarrior.Q follows up with an infected MMS package. Alice’s carrier charges for every MMS message she sends, so her bill quickly mounts.

74 SCIENTIFIC AMERICAN NOVEMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC. ANATOMY OF AN ATTACK ship is still relatively low. Research by ca, Japan and South Korea. Cellular Canalys, a high-tech consultancy near operators in North America have spread Suspicious, Bob answers “no.” The phone simply Reading, England, found that smart- their markets more equally across the 3 beeps and repeats the question. As long as he answers “no,” Bob cannot make a call, send phone sales in the first quarter of this various platforms. The Japanese and messages or use any other software on his phone. year grew twice as fast in eastern Eu- Korean markets were dominated for a rope, Africa and the Middle East as they long time by Linux-based phones, and did in western Europe. Industry ana- carriers there heavily restrict the types lysts predict that some developing na- of applications that users can install on tions will choose to forgo construction their phones. of a wired Internet infrastructure and Carriers would be wise to begin edu- will instead upgrade their digital wire- cating cellular customers now about less networks and promote smartphones how to identify and avoid mobile virus- as affordable computers. The wireless es, rather than waiting until these infec- route can be much less expensive to con- tions become epidemic. Phone makers struct and maintain (and, from a cen- should install antivirus software by de- sor’s perspective, much easier to moni- fault, just as PC manufacturers now do. tor and control). And regulators and phone companies If these forecasts prove accurate, can also help avoid the monoculture smartphones could in the very near fu- problem that plagues PCs by encourag- ture make up most of the world’s coming a diverse ecosystem for smartphones puters. And huge populations of users in which no single variety of software who have little or no experience with dominates the market. Also, when Bob computers could soon be surfing the 6 sends a text message to Alice, the Web and sharing files with their phones. From Kicks to Crime worm immediately They would present mobile malware diversity cuts both ways, of course. sends Alice a follow- creators with an irresistibly large and Over time malware, too, inevitably mu- up MMS file contain- unwary target. tates into new species that attack and ing a copy of the worm, renamed with One lesson from PC viruses is that subvert useful software in an ever wid- a plausible file name. the bigger the target, the bigger the at- ening variety of ways. On the PC, the When Alice opens the traction for nefarious programmers. early viruses were eventually joined by message, her phone The vast majority of desktop malware Trojans, worms, spyware and most re- gets infected. works only on the ubiquitous Microsoft cently phishing attacks. Since 2003 Windows operating system. For the much of the new malware appearing on same reason, nearly all the mobile PCs has been written for profit rather worms and Trojan horses released so far than for mere mischief. Organized infect the Symbian operating system, gangs of cyber-criminals now operate which runs some 70 percent of smart- all over the world. Thieves use crime- phones worldwide—including phones ware to make money by stealing finan- made by Nokia, Samsung, Sony Erics- cial data, business secrets or computer son and Motorola. In contrast, only a resources. Spammers assemble “bot- few varieties of malware infect Micro- nets” of hacked machines to forward soft’s PocketPC or Windows Mobile, bulk e-mail and phishing scams. And Palm’s Treo, or Research in Motion’s blackmailers extort money with threats BlackBerry devices. The Symbian bias of digital destruction or of virtual block- partly explains why mobile malware is ades that shut down a company’s Web currently most prevalent in Europe and or e-mail servers. In some countries, cy- Southeast Asia, where Symbian is com- ber-criminals are virtually untouchable monplace, but is rarer in North Ameri- because authorities lack the technical

MIKKO HYPPONEN is chief research officer for F-Secure, a computer security company in Helsinki that consults for mobile phone makers and network operators. His team of virus Every time Alice replies to a text message, 8 CommWarrior.Q follows up with an infected fighters has been first to identify and combat dozens of viruses in the 15 years he has MMS package. Alice’s carrier charges for every MMS worked at F-Secure, including the infamous LoveLetter worm in 2000. A co-author of two message she sends, so her bill quickly mounts. books on computer security, Hypponen has assisted with investigations by Microsoft, the T H E A U T H O R

MIRACLE STUDIOS U.S. Federal Bureau of Investigation, the U.S. Secret Service and Scotland Yard in the U.K.

www.sciam.com SCIENTIFIC AMERICAN 75 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC. to destroy privacy is obvious. Only a handful of such programs have been seen as yet. One, called FlexiSpy, peri- odically and invisibly sends a log of Computers do not have a built-in phone calls and multimedia messages, both sent and received, to a third party. billing system; mobile phones do. The eavesdropper needs to gain physical access to the phone to download and install the spying program. The bad guys will exploit this It may not be long, however, before hackers incorporate this kind of eaves- feature before long. dropping behavior into viruses that rep-

MIRACLE STUDIOSlicate on their own. With new phones featuring voice recorder capability, expertise, resources or will to enforce financial capabilities of mobile phones manufacturers should take extra care to laws against computer crimes. on the rise, we will have to move rapidly ensure that these features cannot easily As for-profit virus writing increases, in the next couple of years. Actions now be exploited by malware to record con- the likelihood of severe mobile malware could thwart mobile malware while it is versations and then beam the recordings attacks escalates as well. After all, every in its infancy and while smartphone ser- to a snoop. phone call placed and every text or multi- vices are still fairly flexible in their de- Then there is the surprising fact that media message sent is also a financial sign. But that window of opportunity not one of the more than 300 forms of transaction. That opens up a flood of will not stay open for long. mobile malware released as yet exploits potential earning opportunities for programming bugs or security design profiteer hackers and virus authors. More Dangers Ahead flaws to insert itself into a vulnerable Computers do not have a built-in billing the reason for haste is clear machine. This has long been a standard system; mobile phones do. The bad guys when one considers all the ways that modus operandi for many PC viruses will exploit this feature before long. hackers could—but have yet to—wreak and Trojans. Indeed, at least one already has. A havoc with smartphones. On personal So far mobile malware writers have Trojan called RedBrowser sends a con- computers, many of the worst culprits instead relied exclusively on “social en- tinuous stream of text messages from spread via e-mail or force infected ma- gineering”—in other words, tricking us- any phone it infects to a number in Rus- chines to spew spam onto the Internet. ers into actively allowing installation of sia until the user disables the phone. None of the miscreant programs re- the malicious program on their phones. Each message is charged at a premium leased so far for smartphones capitalize Some camouflage themselves as useful rate of about five dollars, resulting in on the devices’ ability to send e-mail. It utilities or desirable games. But some, huge bills for the unfortunate victims. is only a matter of time until malware especially ones like Cabir and Comm- Some cellular carriers hold their cus- appears that can propagate as e-mail at- Warrior that spread via Bluetooth, do tomers liable for such unauthorized tachments or can turn phones into spam- not. Many people accept the files even transactions, and when they do, the sending robots. when the device warns of the security criminals, who own the premium num- Spyware is another mushrooming risk and gives them a chance to refuse ber, collect the premium fees. Luckily, problem in the PC arena, and the poten- the foreign software. RedBrowser has so far only been spot- tial for surreptitious software on phones I and other researchers have asked ted inside Russia. Meanwhile service providers in Some Protective Software for Smartphones North American markets are beginning to introduce “mobile wallets.” Custom- COMPANY PROGRAM NAME SUPPORTED OPERATING SYSTEMS ers will be able to use their phones to F-Secure Mobile Anti-Virus PocketPC, Symbian, Windows Mobile transfer funds from their accounts to others by sending specially formatted Mobile Security Nokia Communicators text messages. PayPal, a digital payments firm, offers a similar service that allows McAfee VirusScan Mobile PocketPC, Symbian, Windows Mobile users to buy items using their phones. Symantec AntiVirus for Handhelds Palm, PocketPC, Windows Mobile Such services could be of intense interest to malware authors. Mobile Security Symbian With both the sophistication of mo- Trend Micro Mobile Security PocketPC, Symbian, Windows Mobile bile malware and the technological and

76 SCIENTIFIC AMERICAN NOVEMBER 2006 COPYRIGHT 2006 SCIENTIFIC AMERICAN, INC. UMTS data networks that their mobile A Bestiary of Mobile Malware devices use; open Wi-Fi networks have no such protection. And while some car- NAME TYPE AND METHOD OF INFECTION EFFECTS riers already filter their MMS streams to remove messages bearing malicious at- Cabir Worm. Connects to other Bluetooth Constant Bluetooth scanning tachments, all should do so. (discovered devices and copies itself drains phone’s battery Some of the biggest phone manufac- June 2004) turers have joined the Trusted Comput- ing Group, which has been hammering CommWarrior Worm. Replicates via Bluetooth; sends Some users incur a charge out industry standards for microcircuit- (discovered itself as an MMS file to numbers in for every MMS file the worm ry inside phones that will make it harder March 2005) phone’s address book and in automatic sends; variants of the worm replies to incoming SMS (text) and MMS disable phone entirely for malware to get at sensitive data in the messages; copies itself to the device’s memory or to hijack its payment removable memory card and inserts mechanisms. And Symbian recently re- itself into other program installation leased a new version of its operating sys- files on phone tem that does an improved job of pro- tecting key files and that requires soft- Doomboot Trojan horse. Pretends to be a version Prevents phone from booting ware authors to obtain digital certificates (discovered of the Doom 2 video game, enticing and installs Cabir and from the company. The new Symbian July 2005) users to download and install it CommWarrior on phone system refuses to install programs not accompanied by a certificate. Unless dis- RedBrowser Trojan horse. Deceptive description on Surreptitiously sends a abled by a user, the system effectively (discovered a Web site offering many downloadable stream of text messages, at February 2006) programs entices users to install this a premium rate of $5 each, excludes all mobile malware discovered Java program, which runs on hundreds to a phone number in Russia to date. of phone models Governments could also play a more constructive role than they have so far. FlexiSpy Spyware. Internet download, Sends a log of phone calls Even though most countries have passed (discovered typically installed by someone other and copies of text and MMS laws against hacking both ordinary March 2006) than phone owner messages to a commercial computers and the computers inside cell Internet server for viewing phones, enforcement is lax or nonexis- by a third party tent in most of the world. Many of the nations hit hardest so far by mobile mal- people victimized by such viruses: Why concerned. Antivirus software now ware outbreaks, such as Malaysia, Indo- did you click “yes”? A common answer available from many companies can im- nesia and the Philippines, do not always is that they did not at first—they chose munize and disinfect smartphones. Yet collect reliable and timely statistics that “no.” But then the question immediately few customers have installed such pro- could be helpful for tracking software reappeared on the screen. A worm, you tection. That needs to change. crimes. see, does not take no for an answer, and Phones should also incorporate fire- For our part, my team and others in it gives the user no time to hit the menu wall software that warns the user when the security research community have option to disable Bluetooth [see box on a program on the phone seizes the initia- been proactively studying Symbian and pages 74 and 75]. Unfortunately, even tive to open an Internet connection. This PocketPC, looking for vulnerabilities in the newest versions of most smartphones is an especially important form of pro- the code and in the system designs that permit the kind of Bluetooth harassment tection for smartphones that can con- might afford entrée to malware. We that effectively denies a person use of a nect to Wi-Fi (also called 802.11) net- hope to find these holes so that they can phone until the individual accepts the works and thus directly to the public be patched before the bad guys exploit file transfer (or until the user walks out Internet. Many cellular companies ag- them in the inevitable next round of this of range of whatever infected device is gressively filter traffic on the GPRS or constant battle. sending the request—although few people realize they have this option). MORE TO EXPLORE Mobile Phones as Computing Devices: The Viruses Are Coming! David Dagon, Tom Martin and Staying a Step Ahead Thad Starner in IEEE Pervasive Computing, Vol. 3, No. 4, pages 11–15; October–December 2004. the only hope of stopping mobile Mobile Phones: The Next Frontier for Hackers? Neal Leavitt in Computer, Vol. 38, No. 4, malware before it seriously degrades the pages 20–23; April 2005. utility and value of smartphones is quick Mikko Hypponen and his teammates blog at www.f-secure.com/weblog/ and concerted action on the part of all Trusted Computing Group: www.trustedcomputinggroup.org/groups/mobile