SEARCH FOR: IN:
Guest  Level 00    Register Log in

Real World Computing

Mobile exploits

20061120 [PC Pro]
Davey Winder assesses the true mobile security threat from a sealed room in Finland, before revealing the security secrets of the Windows Task Manager

I've just returned from a trip to Helsinki, where I was a guest of security specialist F-Secure. While there, I visited the company's threat labs and chatted with its CEO and research director about the world of malicious code. Among the fascinating Finnish facts I picked up were that it's still warm in Helsinki in September (although come winter the F-Secure staff ski to work), 6% of Finns now speak Swedish, and mobile phone viruses and trojans definitely do exist.

This latter fact shouldn't have surprised me as much as it did, even though I've written several times over the last couple of years doubting the need to worry about this "pseudo-threat". Miska Hakala, F-Secure's mobile security manager, started his presentation by pointing out that, "the prerequisites for a large malware outbreak are relatively simple: enough functionality for the malware to work, enough connectivity for the malware to spread and enough target terminals for the platform to become an interesting target". Mobile phones - and smartphones in particular - now fulfil all these criteria.

If proof were needed, Hakala went on to describe how, from the end of August 2006, F-Secure had identified 319 different examples of malicious mobile content, and this total crept up to 320 while I was visiting the labs. Of these 319 threats, 260 were trojans that don't spread themselves, 52 were viruses and worms that attempt to propagate (although they all require some user interaction to do so successfully), while only three could be classed as spyware proper. Sixteen of them spread themselves using MMS as the transport mechanism, while 49 jumped aboard via Bluetooth.

Which infection mechanism is most popular depends on whether you count the number of samples discovered in the lab or reports coming in from the real world. For lab samples, the most popular conduit is active downloading and installation by the user, followed by Bluetooth infection, MMS and memory cards. Based upon real-world reports, this order changes to put Bluetooth in the lead, followed by user download, MMS and memory cards. Although 320 separate threats have been identified, they belong to just 31 different families consisting of numerous variants. Malefactors create these variants for the same reasons they do in the computer world: to try to foil AV scanners (still less prevalent in the mobile sector) or else, by merely changing the payload or some other minor attribute, to claim the new variant as their own and thus gain criminal kudos. Very few people - according to F-Secure's intelligence - are actively creating new threats, the vast majority falling into this evolve-and-adapt category.

Of the 31 families identified, the biggest are Sdropper with 67 variants, Cardtrap with 34, Cabir with 33 and Skulls with 29. If you own a Symbian-powered handset, you're most at risk, since 312 of the 319 samples target that platform, which is merely the price it pays for being the most popular handset OS.

This still wasn't proof enough - I needed more, so I persuaded Mikko Hypponen, F-Secure's chief research officer, to let me into his newly built mobile phone virus chamber deep inside the threat research labs. This highly impressive metal-walled room could have come straight out of a James Bond movie - no windows, a thick steel door, even the holes through which the network cables travel are capped once the cable is removed during testing. The intention is to make the room 100% RF isolated, so that no mobile phone signals of any kind or strength, no Bluetooth, infrared nor Wi-Fi signals can escape once the door is shut. This is for the good reason that it's where your actual, real-world mobile exploits are set loose and analysed.

Continued....

1 | 2 | 3 | 4 Next page