Mobile malware: Two years on

Many still regard the threat as largely over-hyped, but F-Secure's chief research officer Mikko Hyppönen warns that the mobile virus threat now is only equivalent to that in the PC world in 1988.
Written by Munir Kotadia, Contributor

The first real mobile phone virus, which was found in the wild and could replicate on its own, was discovered almost two years ago.

On June 15 2004, Finnish anti-virus firm F-Secure and Russian rival Kaspersky released details about a piece of mobile phone malware that used Bluetooth to try and spread to other Symbian series60-based mobile phones.

Almost two years on, F-Secure's chief research officer Mikko Hyppönen reports that although there are now over 200 mobile phone viruses--many of which are variants of Cabir--the problem is unlikely to get as bad as it has with PCs.

"The difference is that PC viruses were first found in 1986 and mobile phone viruses were found in 2004," said Hyppönen in an interview with ZDNet Australia at the AusCERT conference in the Gold Coast last week. "So we are living in the equivalent of 1988 but in 1988 Microsoft or hardware manufacturers were not doing anything about viruses".

"In the mobile phone world, all the mobile phone manufacturers are working on the problem as are the phone operating system manufacturers, like Symbian, Microsoft and Palm. Operators are on top of this--there are several phones from Nokia that come with antivirus software, which is made by F-Secure," he said.

At AusCERT, Hyppönen presented a talk about current and future mobile phone threats. He explained that malware aimed at mobile phones is close to evolving into something that could make cybercriminals lots of money.

"On any new platform the first malware is made by hobbyists as a proof of concept--the professionals move in later on. This change hasn't really happened yet on the mobile phone side," said Hyppönen.

One example of a Trojan designed to illegally make money from Mobile phone users is called Redbrowser, which will run on any Java-enabled phone and is 'advertised' as a special Web browser that, if installed, will provide the user with WAP browsing.

In reality, Redbrowser is programmed to send vast quantities of text messages to a Russian premium rate number, which could cost the victim hundreds or even thousands of dollars.

"Redbrowser starts to send text messages from your phone to that number--as many as it can, as fast as it can and each message costs you around US$5," said Hyppönen.

Another piece of mobile malware that could hit its victims in the pocket is Commwarrior, which first appeared in March 2005 and used both Bluetooth and Multimedia Messaging Service (MMS) to replicate.

MMS is commonly used for sending picture messages but it can also allow mobile phone users to exchange ring tones, files and other applications.

"Say you have 200 numbers in your phone and you get hit with Commwarrior. It will send an MMS message in your name to every single number in your phone. So people get a message from you, they trust you and open up the message and get infected," explained Hyppönen.

If Hyppönen got infected by Commwarrior, it would cost him a significant amount, he said: "You pay for every message so if it cost 50 cents, [200 contacts means] it has cost you US$100. I have 1600 contacts so if I get infected it will cost me US$800--that is already a lot of money".

Although Commwarrior infections are not a serious problem at the moment, some mobile phone operators are already feeling the pain, said Hyppönen.

"One operator found that 2.5 percent and another found 3.5 percent of all their MMS traffic was not generated by people but by viruses. Another operator we spoke with said that their user support gets around 200 calls a day about mobile phone viruses," Hyppönen said.

Spyware moves in
Over the past year, spyware has become one of the biggest problems on PCs so it is not be a surprise that issue has migrated to mobile phones.

At the end of March, F-Secure discovered a "spying application" called Flexispy that is designed to record text messages, log calls and even send back recordings of calls to a third party.

Although the application, made by Bangkok-based Vervata, is technically legal and has legitimate uses, F-Secure objected to the fact that once installed there is no indication to the user that so much information is being leaked to a third party.

"You can use it to monitor your 10 year old and it is legal--depending on where you are--and justifiable. But then again if you install it on somebody's phone without them knowing about it, it is illegal," said Hyppönen.

F-Secure classified Flexispy as a Trojan and included detection for it in its mobile phone anti-virus software, said Hyppönen: "We made the call based on the fact that it never shows you any messages or explains what it is".

Vervata responded by publishing a strong objection on its Web site: "Like any other monitoring software there may be a possibility for misuse, but there is nothing inherent in FlexiSPY that makes it illegal or malicious, and Vervata would like to point out that F-Secure comments categorizing FlexiSPY as a Trojan are completely incorrect".

Unfortunately for Vervata, other security software vendors--including Symantec and Kaspersky--have sided with F-Secure.

Last year, analyst group Gartner predicted that a serious mobile phone virus is unlikely until the end of 2007 because it will take that long until there are enough mobile phones capable of carrying the infection.

Hyppönen also believes that the virus problem will get worse--before it gets better. However, he is confident it will never be as bad it is currently with PCs.

"There have already been tens of thousands of mobile phones infected and mobile viruses have spread to 30 different countries. A virus has tried infecting my phone 4 times-- once in London and three times in Finland.

"If we play our cards right we will not have 165,000 mobile phone viruses in 2020," Hyppönen added.

Editorial standards