It’s hip2b2

ZDNet has this coverage of the second year anniversary of the mobile phone virus. It is interesting to note that mobile phone manufacturers and operating system makers are taking this threat seriously. In 1988, when the PC virus first appeared, operating system vendors did not give it much thought. Look what mess we have today.

On June 15 2004, Finnish anti-virus firm F-Secure and Russian rival Kaspersky released details about a piece of mobile phone malware that used Bluetooth to try and spread to other Symbian series60-based mobile phones.

Almost two years on, F-Secure’s chief research officer Mikko Hyppönen reports that although there are now over 200 mobile phone viruses — many of which are variants of Cabir — the problem is unlikely to get as bad as it has with PCs.

It is interesting to note that mobile phone viruses in the wild today are mainly bluetooth propagating. So what is next? Well, I have this idea for a virus that spreads using WAP PUSH - The Mobile Worm. This is how I see it working.

1. Virus opens an HTTP port in the infected mobile phone and listens on it.
2. Virus then sends a WAP SI to the target phone. The WAP link points to the open HTTP port where a copy of the virus lives. It can get a list of targets using the current phones addressbook.
3. Virus then waits until it is picked up.
4. Target phone accesses WAP SI and download virus payload. The virus payload is masqueraded as a firmware upgrade or installable software. I could imagine making the payload say, “Do you want to install the I Love You software?” or “Viagra Cheap Software?”.
5. Virus payload executes and the process starts again. Wreaking havoc to users everywhere.

Other variations can include hosting the virus on an Internet-based server and put user agent profiling functionality. This will push the proper version of the virus to the mobile handset. So, whether you are symbian, j2me, MS Windows Mobile or Palm, you will get the correct version of the payload. Another variant can also have bluetooth propagation and another can have the ability to download SyncML contacts. But, notice that this POC above does not make use of any exploit in the system. It is a purely social engineering malware. Any exploit will just allow it to do significantly more dangerous things.

Of course, there are ways to prevent this. The most important of which is to be vigilant. Do not just install any program. Watch your GRPS traffic indicator. Do not switch on Bluetooth unless you absolutely need it. Beware!

This entry was posted on Wednesday, May 31st, 2006 at 12:08 am and is filed under Mobile, Open source. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.