Do Cell Phones Get Viruses?

It is a disturbing thought. Could cell phones could be an agent for distributing malware? Can a cell phone get a virus when it receives a call? Should you be purchasing anti-virus software for your cell phone?

More importantly, you should be concerned about physical security. The risks from a lost, stolen or tampered phone are more likely than an over-the-air threat. Don’t leave your phone unattended. Lock your phone. Don’t leave sensitive information on your phone.

A recent issue of Science (22 May 2009: Vol. 324. no. 5930) contained two relevant articles: Phone Infections by Shlomo Havlin (pp. 1023 – 1024) and Understanding the Spreading Patterns of Mobile Phone Viruses by Pu Wang, Marta C. González, César A. Hidalgo, and Albert-László Barabási (pp. 1071 – 1076). They recognize that there are cell phone viruses. These malware instances are not prolific; they rely upon the Bluetooth communications feature within many cell phones. If a Bluetooth device is within range, the virus asks the user of the target cell phone if they would like to install a new application. This is the classic Trojan Horse technique; you can expect a high number of users to reply with a “yes,” and thereby run the malware. The authors indicate that the limited range of Bluetooth (10 meters, about 32 feet) keeps these viruses in check. However, that’s the specification limit. 10 meters is the the expected and supported range. Given an appropriate antenna, the range of Bluetooth approaches a mile (according to Chris Roberts, CEO & Founder, Cyopsis (Interface 2009)).

Bluetooth passwords are up to four digits, making them easy to guess. They are often not changed from defaults.

Continuing my summary of the articles: cell phones are computing devices. If a vulnerability is found in a data handling mechanism (a music player or image viewer, for example), and that vulnerability can be exploited to execute arbitrary code, then data (music or images) can be used to install malware. For example, if an exploitable vulnerability in the picture viewer was found, then an image attached to Short Message Service (SMS) text or email can be used to propagate malware. The authors then speculate about the propagation rate of this malware.

The National Institute of Standards and Technology (NIST) has a Special Publication (SP800-124) titled Guidelines on Cell Phone and PDA Security. In summary: a fine synopsis of technologies, threats and recommendations. Recommendations are the following User Oriented Measures and Organizational-Oriented Measures:

User Oriented Measures

1. Maintain Physical Control
2. Enable User Authentication
3. Backup Data
4. Reduce Data Exposure. Avoid keeping sensitive information, such as personal and financial account information, on a handheld device.
5. Shun Questionable Actions. Don’t trust messages.
6. Curb Wireless Interfaces. Turn off Bluetooth, Wi-Fi, infrared, GPRS, Edge until they are needed.
7. Deactivate Compromised Devices. Disable service. Remote lock. Remote wipe.
8. Minimize Functionality. In addition to “curb wireless interfaces”, are there other vectors you don’t need? Add-on applications? Plug-ins? Have your provider block SMS that originated from the Internet (since it is largely SPAM).
9. Add Prevention and Detection Software. Stand-alone, consider: authentication alternatives, encryption, firewall, anti-virus, intrusion detection, antispam, remote erasure, VPN

Organizations, consider a long list of device management possibilities

Organizational-Oriented Measures

1. Establish a Mobile Device Security Policy
2. Prepare Deployment and Operational Plans
3. Perform Risk Assessment and Management
4. Instill Security Awareness through Training
5. Perform Configuration Control and Management

The most common SMS attack is the social engineering attack. A text message from a purportedly trusted source (such as a bank) prompts the user to (1) call a phone number and reveal private information or (2) connect to a web site and reveal private information or (3) connect to a web site and install software (which will reveal private information).

June 2005: (Arbitrary start date) Trojan Horse programs for Symbian OS. See SymbOS.Romride.A, SymbOS.Commdropper, SymbOS.Doomboot.a (Symantec) or Romride.A ,Cabir (F-Secure).  SymbOS.Commwarior (Symantec) is a Trojan Horse that will send MMS messages with a copy of itself and will copy itself through exposed Bluetooth connections. Symantec categorizes this Trojan Horse as a worm because these measures have a high probability of success.

The scenario:

1. The Trojan Horse arrives as an SIS file. Mechanisms that could be used: installed locally (physical access), received MMS message with MIME attachment of type application/vnd.symbian.install, copied through exposed (discoverable, visibility is not “hidden”) Bluetooth connection, downloaded from website.
2. User is induced to open file. Various fraudulent presentations (social engineering) such as “cracked version of …” “important security update” are used.
3. When the user opens this file, the phone installer application displays a dialog box to warn the users that the application may be coming from an untrusted source and may cause potential problems. There are many reasons why a user would ignore this warning: they really want the cracked version of the game or they’ve seen the warning before and ignored it and never seen a problem (“it always does that”).
4. The user is again asked if they want to install the program. It always does that.
5. Payload is installed, which may mean contacts or other information is disclosed. Anything that the phone could do.

November 2008: Remote SMS/MMS Denial of Service – “Curse Of Silence” for Nokia S60 phones announced by Tobias Engel

Until a firmware fix is available, network operators should filter messages with TP-PID “Internet Electronic Mail” and an email address of more than 32 characters or reset the TP-PID of these messages to 0.

Secunia indicates no fix is available in Nokia Phones SMS Denial of Service Vulnerability (SA33359).

April 2009: Hacking a Smartphone, stealing data from a Microsoft Windows Mobile operating system device, is demonstrated by Trust Digital in a CSO Online article “3 Simple Steps to Hack a Smartphone“. One attack relied upon the ability to use an SMS message to open a web browser session. If scripting is enabled and a person or device can be navigated to a maliciously crafted web site, then (machine is pwned) data can be stolen or software installed.

The ability to run a program, such as Internet Explorer, by sending an SMS message would be a significant vulnerability. This would be news. The presentation assumes that such a vulnerability exists.

Another attack relied upon the ability to remotely reconfigure the device, reducing its security posture or destroying information.

April 6, 2009 Security UK columnist Ken Munro writes that the iPhone is not ready “for a secure mobile email environment.” Summary: no encryption, no remote wipe, access points easy to spoof. Blackberry and even Windows Mobile fared better.

June, July 2009 SMS vulnerability on iPhone disrupts usage, could lead to arbitrary code execution, see Apple iPhone OS 3.0.1 SMS Vulnerability Debriefing.

An additional story about a false sense of security with the iPhone is iPhone Security: A Complete Misnomer. Summary: access to a secure iPhone is easy to bypass and remote wipe is unreliable.

July 2009 A New Symbian S60 Worm Variant Spreading in the Wild as reported by cell phone anti-virus vendor NetQin. The threat requires installing a spurious version of the Symbian security application called “Advanced Device Locks.” Once installed, it propagates by sending text messages with a link to a copy of the malicious software.

July 2009 A new worm and botnet for the Symbian OS is discovered as reported by cell phone anti-virus vendors F-Secure and Trend Micro. The threat requires installing a spurious Sexy View application that Symbian has signed. A worm because it sends text messages with a link to a copy of the malicious software. A botnet because it can download new SMS templates, which can be used to generate other text messages.

July 2009 UAE cellular carrier Etisalat rolled out spyware as a 3G “update.” Service provider Etisalat sent an SMS message advising Blackberry users to install a software update (“Registration”). The software update included spyware. See RIM’s Blackberry security page.

July 2009 Additional presentations at Black Hat USA 2009: Attacking SMS presentation by Zane Lackey and Luis Miras; Fuzzit: A Mobile Fuzzing Tool by Kevin Mahaffey, Anthony Lineberry and John Hering.

October 2009 CNN publishes article Smartphone security threats likely to rise. No specific threat looming.

November 2009: Some Jailbroken Apple iPhones receive worm. This is an actual worm, since a iPhone user who chose to jailbreak their device created an SSH server with a default user name and password, and never changed the password. The phones could be discovered via the Universal Mobile Telecommunication System (UMTS) Network, then accessed and malware installed. The malware repeats this cycle, looking for more phones.

November 22, 2009: A second iPhone worm, which also relies upon users to Jailbreak their phones and not change the password, is reported by F-Secure. In addition to the previous worm’s characteristics, this worm steals information and changes the password to “ohshit”.

This is much like the scenario described in Science, but did not reach their distribution estimates.

December 1, 2009: RIM acknowledges vulnerability which could lead to executing arbitrary code on the Blackberry Enterprise Server (BES) when a maliciously crafted PDF is opened on a Blackberry handheld device (KB19860). BES customers (service providers such as corporations with Microsoft Exchange or Lotus Notes) should patch their servers; there was no client update.

Note that RIM also offers Blackberry Enterprise Server (BES) Express:

Designed for small and large businesses that have an on-premises mail server, BlackBerry Enterprise Server Express is a low-cost and secure option for businesses that want to connect both corporate-liable and individual-liable BlackBerry smartphones to company email, calendars and business applications.

December 4, 2009: ChrisJohnRiley posts information about what the iPhone configuration tool reveals. A .mobileconfig file can be exported. This is an XML file with the passcode can be found in Base64 encryption. That is very rudimentary. Persons who would use the iPhone configuration tool are corporate accounts who would export the configuration as a backup measure. Unfortunately, many corporate accounts are unaware of the information within the .mobileconfig file and publish it on the Internet; search for “filetype:mobileconfig”.

December 27, 2009: Chris Paget and Karsten Nohl report about the weak nature of GSM security at the 26th Chaos Communication Congress. That is, with about $1,500 of hardware, open source software and pre-computed tables, whatever information is passed through GSM can be discovered.

December 30, 2009: Cordless phones based upon Digital Enhanced Cordless Telecommunication (DECT) also have flaws in the way encryption was implemented, as explained at the 26th Chaos Communication Congress.The long term fix will be to replace cordless phones with models whose firmware has fixes for these flaws (and have upgradable firmware). The short term fix is to avoid long silences and keep conversations short.

February 4, 2010 Elcomsoft iPhone Password Breaker enables forensic access to password-protected backups for iPhone 2G, 3G, 3GS, and iPod Touch 1st, 2nd, and 3rd Gen devices. Featuring the company’s patent-pending GPU acceleration technology, Elcomsoft iPhone Password Breaker is the first GPU-accelerated iPhone/iPod password recovery tool on the market. The new tool recovers the original plain-text password that protects encrypted backups containing address books, call logs, SMS archives, calendars, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache.

Similarly, see iPhorensic from EviGator.

February 7, 2009: Veracode demonstrates proof of concept spyware for the Blackberry (TXSBBSpy).

it should be noted that while we chose BlackBerry for our proof-of-concept, this is not just a BlackBerry problem. All mobile platforms provide similar mechanisms for writing applications that have access to the user’s personal, potentially sensitive information. As consumers become increasingly dependent on their mobile devices, we are certain to see an uptick in the volume and sophistication of mobile malware.

February 12, 2010: OpenCORE 2.0 or less vulnerability disclosed at Shmoocon. oCERT #2009-002.CVE CVE-2009-0475 Since OpenCORE is the multimedia rendering system used by Android, this counts as an Android vulnerability. Browsing to a malicious web site with a maliciously crafted MP3 could installed arbitrary code on the Android. Fixed in 8815. How would T-Mobile get the patch to customers?

March 8, 2010: Vodafone distributes Mariposa botnet Panda Security researcher reports an associate received an HTC Magic with Google’s Android OS, and found (Windows OS) malware on the memory card. The malware would attempt to be installed if Autorun was enabled. That is, the HTC Magic’s memory card is as vulnerable as any USB stick. As Lee Whitfield points out, this reflects a Quality Assurance issue at Vodafone or HTC (or another agent in the supply channel). At least two HTC Magic devices with infected memory cards have been identified.

April 2, 2010: Chinese government officials report MMS Bomber (a variant of the Worm.SymbOS.Yxe). This worm spreads through URLs in SMS messages to phones with the Symbian S60 3rd Edition operating system. If the application the URL points to is installed, data from the mobile phone is sent to a server, SMS messages are sent to numbers in the phone’s directory and the phone’s system management software is modified to prevent removal of the worm. Reinstall the operating system.

April 10, 2010: Installing pirated version of “3D Anti-terrorist action” makes Windows Mobile phones place International calls (Troj/Terdial-A). Windows Mobile Terdial Trojan makes expensive phone calls

June 1, 2010: Samsung distributed a malware program called slmvsrv.exe on the 1GB microSD memory card shipped with the new bada-powered Samsung S8500 Wave smartphone. This Windows-based application, known as Win32/Heur, appears with an Autorun.inf file in the root of the memory card and will install itself when it is inserted into any Windows PC that has the autorun feature enabled.

June 4, 2010: Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) arrests 50 individuals for using smartphone spyware (probably FlexiSPY) for eavesdropping.

June 25, 2010: Jon Oberheide reports Google used REMOVE_ASSET and INSTALL_ASSET, remotely managing applications on his Android-based phone.

August 11, 2010: Apple releases iOS 4.02 (for the iPhone) and iOS 3.22 (for the iPad), fixing a PDF rendering bug. Rendering of a PDF could install arbitrary code.

August 17, 2010: Android game Tap Snake is a Trojan horse, a GPS Spy client in disguise (according to F-Secure).

September 9, 2010: Kaspersky reports another Android Trojan horse, whose payload sends SMS messages to premium sites without user intervention. The malware spreads through black hat search engine optimization (BHSEO) techniques, much like bogus anti-malware software propagation.

September 30, 2010: According to a study by pskl.us blogger Eric Smith, a number of free iOS apps send private user data back to their application developers. Smith examined a total of 57 free news, shopping, business and finance applications, including the top 25 free apps from the US iTunes App Store. He found that 68% of the applications tested transmitted the software-readable unique device identifier also known as UDID each time the application was launched. The data was transmitted to servers controlled by the relevant application vendor. A further 18% of apps transmitted encrypted data, meaning that there is no easy way of knowing what data they are forwarding to the vendor. (See further investigation at “iPhone Privacy: What about the SSL apps?“.) According to Smith’s analysis, just 14% of applications are clean. Smith notes that, where the user name for a user account is also known, the UDID allows many applications to draw conclusions about the identity of the iPhone user. As an example, he cites the Amazon app, which stores the phone’s serial number on mail order company Amazon’s servers. The full text of the study, entitled “iPhone Applications & Privacy Issues an Analysis of Application Transmission of iPhone Unique Device Identifiers” is available online [pdf]. The list of apps tested can be found in Appendix A on page 16.

October 2010: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones [pdf] Abstract: Today’s smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 14% performance overhead on a CPU-bound micro-benchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users’ private information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.

November 2010: Android 2.0-2.1 Reverse Shell Exploit flaws in WebKit appear as flaws in Android. This flaw could be used to install arbitrary code.

November 2010: Insecure Handling of URL Schemes in Apple’s iOS could be used to initiate connections to web sites.

December 27, 2010: SMS-o-Death (Collin Mulliner, Nico Golde) at the 27th Chaos Communication Conference describes how flaws in SMS and MMS message processing can be exploited to interrupt phone calls, to disconnect people from the network, and even brick phones remotely.

December 29, 2010: Running your own GSM stack on a phone (Introducing Project OsmocomBB) at the 27th Chaos Communication Conference describes how a custom GSM stack can be used to intercept GSM communications and decrypt them. See review at Gizmodo.

December 30, 2010: Android trojan Geinimi trojan, which may be bundled with applications (such as Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010) from untrustworthy sources, can collect personal information.

April 2011: DroidDream trojan found bundled with many Android applications.

April 19, 2011: Microsoft announces Windows Mobile 6.x, Windows Phone 7, Microsoft Kin, and Zune devices are vulnerable to spoofing using revoked certificates. Microsoft Security Advisory (2524375)

May 3, 2011: Microsoft announces availability of security patch for Windows Phone 7 to modify certificate revocation. Microsoft Security Advisory (2524375)

May 13, 2011: Unencrypted authentication tokens allow access to Google applications from Android devices, as demonstrated by researchers at the University of Ulm.

February 13, 2012: Android.Bmaster is Android malware discovered on a third party marketplace (not the Android Market) and bundled with a legitimate application for configuring phone settings.

Summary

How concerned should you be? It helps to focus upon the mobile device aspects rather than the phone features. Access control, patch (or upgrade), firewall (drop unnecessary traffic), and virus protection.

As with other computing devices, if a device vulnerability is discovered, the preferred mitigation remedy would be to patch the vulnerability. There are over-the-air (OTA) update mechanisms available. (How secure are these mechanisms?)

Alternately, your cell phone provider may be able to update your firmware without putting it on the telephone network. Alternately, your cell phone provider may be able to filter and remove malformed traffic.

If you relied upon anti-virus software to mitigate the vulnerability, you need to address how the pattern file updates are installed. You would need to wait for the pattern file update to detect the specific exploit of the vulnerability. Obfuscated variants of the current, specific exploit will be missed by the anti-virus software. You want the vulnerability patched. You would purchase anti-virus software betting that the pattern file update would protect you until the firmware update was deployed.

The articles in Science speculate about the rate infections could spread across cell phones. Perhaps the network would become unusable. Firmware updates would be required. A targeted threat, on the other hand, would exploit the previously unknown vulnerability on a small number of phones. A firmware update would not appear until the vendor was aware of the issue. An anti-virus pattern update would not appear for the same reason.

There are additional (non-virus) malware scenarios that may tempt you to purchase ant-virus software.

• Cell phones are computing devices. If you install software from untrustworthy sources, you can be installing malware. Ask yourself what risk you are willing to adopt by installing Elf Bowling.
• Software (such as FlexiSpy, Neocall or Mobile Spy) can record your text messages. This is similar to a keystroke logger. With the software installed, when Short Message Service (SMS) text messages are sent, they are also sent to a web site. If you have no data plan, this mechanism will fail or incur charges. This mechanism requires local access, physical access, to the telephone; it cannot be installed remotely. Often, anti-virus software does not detect these packages because they must be deliberately installed. They are marketed to the parent who wants to monitor their child’s text messages, and the spouse who monitors their mate’s messages.
• The Blackberry application PhoneSnoop can be used to eavesdrop on calls made from the victimized Blackberry. PhoneSnoop can be installed through physical access to the phone or convincing someone to install the application. Should anti-virus software detect such applications as threats?
• The Palm Treo also has applications which can record calls.
• Skype for Android leaks sensitive data blog post at Sophos, reviewing a beta version of Skype for Android. Skype leaves private information unencrypted and available to other applications to collect and transmit. Skype claims that this will be fixed in the released version and warns people about installing software on their phones. Nonetheless, there is some doubt that software is tested for information disclosure vulnerabilities.
• Cell phones are also data storage devices. As argued in Semantic Difficulty: Do Macs / Linux Get Windows Viruses?, a Windows virus can be copied to the cell phone. It does not run on this device, but it does consume space and it can be copied from the cell phone to a Windows machine.

The articles in Science argued that we haven’t seen such activity because there is limited operating system commonality. There should be a vulnerability in data handling and it should be exploitable; we don’t see the malware because the broad acceptance of an operating system hasn’t occurred.

I don’t think acceptance needs to be any broader. It could be broader, it will get broader, but cell phones are prolific enough. I think they’ve let the disease analogy distort the problem. Malware does not need to be prolific to be malware. (Are prolific viruses the norm or the anomaly in microbiology? I believe prolific viruses are rare, but they get all the attention.)

The bad news: cell phone malware is already here.

The good news: don’t invest in anti-virus software. Physical security is your best protection.

Caveat: Regulations may override these considerations. For example, if you are processing credit card payments with your cell phone, PCI regulations may require anti-virus software.

See also: mobileburn.com, Mobile Active Defense blog

Analyzing and Dissecting Android Applications for Security defects and Vulnerabilities [pdf]