Fearmongering: Help! The Cell Phone Viruses Are Coming!
EWeek | March 7, 2005
By Larry Seltzer
In the middle of 2004 we saw the first real cell phone virus, named Cabir. It was newsworthy because it was the first, and since then there have been more. I don't think of myself as an expert on them, but I don't feel very threatened by them.
In mid-March Cabir (pronounced "kay-burr") made its first appearance in the United States and a whole new round of publicity was launched. Most of the antivirus companies calling me up to talk about it have had this attack squarely in perspective: it was foreseeable because it was possible, and it won't spread very far for a variety of reasons.
It only affects a tiny percentage of mobile phones out there and you have to agree to let it install on the phone. Finally, even if you install it the only real downside is crummy battery life, since it uses the Bluetooth connection excessively, looking for other devices to infect. (Well, there's also the embarrassment of potentially infecting your friends' and colleagues' phones.
Other PR contacts have referred to "the wide spread distribution of the Cabir Bluetooth cell phone virus" in order to pitch for vendors who provide security software or consulting in this space.
This is simple scaremongering.
Cabir is interesting (more for its use of Bluetooth to seek out and spread to other devices than for the fact it runs on a cell phone), but it's not particularly threatening. If I had confidential information in my cell phone that, in the wrong hands, could cause me or my company serious trouble I would think about enhancing the security of it. Of course, for the same reasons I would be worried about forgetting my phone somewhere too, and perhaps that's the more serious threat.
It may have been because of the source code for Cabir was released several months ago, but another one has turned up. Commwarrior ( SymbOS/Commwarrior.a to cAfee) affects Nokia Series 60 phones, such as the 3650, 7650, and 6600. How do I know that? I read it on the virus's home page . It's also where I downloaded my own personal copy of the virus, not that I have a Nokia phone on which to run it.
Next page: And now a message from Commwarrior...
If anyone felt threatened by Cabir, they should be positively terrified of Commwarrior.
I spoke with Victor Kouznetsov, Sr. VP Mobile Solutions for McAfee and he argues that Cabir was a proof-of-concept worm, not a real-world attempt to infect. Kouznetsov says that Commwarrior, on the other hand, is a real attempt to spread like real malware. It spreads both through Bluetooth and MMS (Multimedia Messaging Service). Like Cabir, it arrives as a program that the user has to launch.
More interestingly, it uses classic worm social engineering to try to trick the user into launching the attachment, including such enticing messages as "Free *SEX* software for you!" and "Security update #12. Significant security update. See www.symbian.com".
Such messages have been used by Windows-based worms for years and I keep hearing that people fall for them, so I would assume that they might work on Nokia phone users. (According to F-Secure's analysis of the worm it also contains the string "OTMOP03KAM HET!" which is Russian and translates roughly to "No to braindeads".
This is a real worm (or arguably a virus or Trojan horse), not the experiment that Cabir was. And yet it appears that this program has been out in wild since January, and it only showed up on the radar screens of the antivirus establishment this week, which makes you wonder: How virulent can it really be?
I think the characteristics we've observed so far in worms such as these are not so much indicative of the immaturity of the mobile phone virus establishment as of inherent limitations in the mobile phone infrastructure for malware.
It's hard to imagine an attack that will, for example, work on phones with different operating systems. As best as I can tell, there are a variety of platforms in place in this market and it's possible that SymbianOS, the target for Cabir and Commwarrior, is more amenable to such development than the others. All of them have been around for years, so I would have expected proofs of concept on all of them by now.
If only real computing platforms had this as the cutting edge of security threats! If I were buying one of these fancy-schmancy mobile phones I wouldn't hesitate to buy a Nokia just because there are stupid attempts out there like this. It's just like a PC, you just have to pay attention and any threat that comes along will be obvious.