First Destructive Mobile Phone Virus In The Wild

gbjbaanb writes "eek! the BBC is reporting the first mobile phone virus that causes damage is out and about. The virus only works with the Symbian Series 60's OS (no, not the Smartphone) and spreads through an adapted copy of the legitimate Mosquitos game. Once installed, a hidden program sends SMS texts to premium rate numbers. That's not so bad, no doubt the premium rate numbers will be switched off soon but the worst is yet to come - "typically we see them in the wild then copycat ones come along soon after," said Sal Viveros, director of wireless security at McAfee."

bandwith is not necessary to be annoying

[garcia]

"Once we are in the 3G world, we basically have a broadband connection, so phones will be closer to PCs in terms of functionality.

"Having that connectivity historically leads to the spread of viruses."

Once more and more devices run the same OS/software and more and more people are using that same OS/software more and more viruses will be written for it. Bandwith has little to do with it.

SMS' to "premium numbers" are annoying and don't require massive mobile bandwith to work.

So? Dont get your software from P2P....

[Kenja]

First, its not a virus since it cant spread on its own. Its a trojan if its anything. Second, since this only effects people who steal software, why should i care?

Why is this news

[Svennig]

Why is this news?

This is more a user intelligence program than a true threat to the symbian 60 series. If it propogated to all the numbers in a phone book (via SMS for example) then it would be something worth worrying about.

WTH?

[Joe5678]

Ok the article that is linked to explicitly says that it does NOT send SMS to premium numbers, only regular SMS messages, and that it does no other damage. So explain to me how this is so very "Destructive"?

Re:bandwith is not necessary to be annoying

[YU Nicks NE Way]

Not only is bandwidth irrelevant here, this issue has nothing to do with OS/software. The malware is written in mobile java, and uses the standard, OS-independent, interface to the phone hardware itself to send the SMS messages.

That is why...

[Space_Soldier]

... a phone needs to be just a bloody phone.

Welcome to the 21st Century

[LanMan04]

As much of a technophile as I am, I'm starting to see a disturbing trend in technology...nifty new technology that's supposed to make your life more convenient (TiVO, VoIP, multi-function cell phones) almost always end up having problems, and end up creating a lot of stress and headache (although whether this negates the device's 'usefulness' is debatable, obviously). We've had telephones for quite a while now, same thing with cars, TV, etc, but all of a sudden there are troubleshooting prodecures for everything.

I don't want to live in a world where I have to download patches and updates for my phone, TV, cell phone, alarmclock, bathroom scale, toaster, fridge, etc, every other week, or worry about them charging me money or disclosing private information. Some things work just great already and don't need all sorts of crazy upgrading, networking, or convergence. If you had a portable game thingy (not connected to any network) to play 'Mosquitoes', you wouldn't have to worry about this!

Re:So? Dont get your software from P2P....

[Kenja]

"Because it's a sign of things to come. Today it only affects someone who stole some software, tomorrow it affects everyone with a particular model of phone, next month one may hit your phone and cause service disruption."

How? How is this unknown bad software of the future going to get on my phone? I've got a dev license to symbian and so far I've not seen any way for software to spread unchecked. Sure it could get pushed via a SMS message, but the user would have to click through it to install.

Applications can access all phone functions?

[hattig]

Does allowing an application to send a text message strike people as being a pretty bad design decision?

Phone applications/games should not be able to access any function that might cost the user money. Or if they do, then the OS itself should intercept and ask the user if they wish to allow the application to send the SMS / phone call / data call. "PsychoSolitaire wishes to send a message to +XX.YYYYYYYYY. This will cost £x. Yes/No/Never"

That is just sensible and obvious design.

Re:so who do i sue ?

[Launch]

How about the malicious code writer that actually caused your problem. I agree that good OS software should be implimented no matter what device it is running, but let's not let the REAL cuprit slide on this one.

He said it does it.

[burgburgburg]

He said nothing about it doing it well.

A fairly important distinction.

Re:Slashdot vs. Article

[stratjakt]

It sends to premium rate numbers, those numbers have been terminated, so at present it sends at the regular rates, which so far as I'm concerned, are premium enough.

If jacking your mobile bill 100 bucks a month isn't "destructive" enough for you, then, there's nothing I can do about that.

Re:So? Dont get your software from P2P....

[Anonymous Coward]

Sure it could get pushed via a SMS message, but the user would have to click through it to install.

The same can be said about the majority of Windows malware and look at how successful that malware has been.

Cell Phone viruses

[!Squalus]

How droll. As a former AV employee, I wonder just how the hell you are supposed to run AV on something meant for phone calls? This stupidity will never end. Next,, you will need that really cool 3D screen and a better graphics card, and then a patch for that virus, and then a controller, and a patch for that virus....

Just yesterday I saw an article that said Open Source wasn't ready for Antivirus software. Well - duh! It isn't all that necessary - yet. Most viruses are ineffective on Linux/Unix/BSD/OS/X because of FHS standards, rights and permissions.

Cell phones that play games are about as useful as the teats on a boar hog (and that is a colloquialism). It's the same old game - sell them a useless but "neat" feature that violates sensible security and then sell them a patch to correct that stupidity that they have to buy and buy and buy.

If you spend your money that way - it's your choice really, now isn't it?

Re:so who do i sue ?

[jeremyp]

You can't sue anybody. This is a trojan inside a pirated game. The only way it spreads is for you to deliberately install it. There's no way to differentiate it from a piece of legitimate software that sends text messages.

Re:Great....

[glesga_kiss]

I'm glad I have my cell phone that ... OH YEA! Just makes calls. Who'd have thunk it?

I know, I was like talking to a friend the other day, and he said he saw a computer with "CD-ROM" device attached to it. What's the point in that? Who'd ever need to play music on a computer? All you need is to be able to print letters. Floppy disks ought to be big enough for everyones storage needs.

/sarcasm (circa 1992)

Re:Wow! Where'd'ya find that?

[FrankHaynes]

The problem is that marketers, in league with the propeller heads, keep finding more and more features that we don't need while ignoring the one feature that we all demand: reliable voice coverage.

Just because we can do something does not mean that we must or should do it. This is yet another example of a solution searching desperately for a problem; a feature (of J2ME) which is rushed to market in the hopes that everyone will go ga-ga over it, while the basic cellular service problems go ignored.

Poor design.

[emeitner]

They should never allow user software to access the dialing functions. Maybe there needs to be a user/OS partition in the phone so that untrusted software has to run in a small sandbox. The last thing we need is some malware disguised as a cute toy DOSing 911 numbers on a specific day.
It would be simple to have a popup dialog that would ask the user if they want to allow the app to dial a number.

Re:Slashdot vs. Article

[Anonymous Coward]

Frankly, if everyone that pirated software got $100 tacked onto their phone bill, I'd dance in the streets!

Re:bah...

[Anonymous Coward]

tongue-in-cheek, originally. i think there needs to be no cabal and no conspiracy. smart, uncaught virus originators (not the pimply fall guys) are betting on MFE to profit from their creations.

i wouldn't be surprised if big pharma relied on a similar mechanism.

Re:Not a virus

[dspyder]

You're correct!!! And rather than post a redundant message, I will add here that this type of crap (non-replicating, non-spreading) should be reffered to as a Trojan or at the very least Malware (depending on exactly what it does).

Of course, the public grasps onto Virus = Bad, regardless of its actual function

In reality, most computer viruses are fascinating studies...

--D

Shortsightedness

[TiggertheMad]

Second, since this only effects people who steal software, why should i care?

1985: "AIDS? Why do I care? Only homosexuals and junkies get it."

Your attitude is remarkably self-centered. There are a lot of problems in the world that are aggravated by shortsighted people such as yourself.

Symbian OS could use built-in protection

[UfoZ]

A good feature for Symbian OS would be a sort of "mobile firewall" for user-installed applications, that notifies you before allowing random programs to do things like place calls, send messages or connect to the net (things that cost you money). If the program you're using is legitimate and you're aware of this, a simple OK would authorize the program to do that particular action (say, send an SMS). If the user said no, then the program's request would fail at the API level, no harm done.

It would prevent this sort of unfortunate situation from happening, because, who knows, the next piece of malware like this might install itsself to run all the time and pump out calls or messages, disable uninstallation or wreak any other sort of havoc.

Of course, in the end it all boils down to the end user's stupidity in installing and running untrusted programs, but a safety measure like this would be a good "last chance" before any actual monetary damage is done.

Re:Cell Phone viruses

[plumby]

Cell phones that play games are about as useful as the teats on a boar hog

I love this "I don't want the feature, so it's obviously useless" attitude on Slashdot. Games on phones may be useless to you, but I and, evidently by the number of games purchased, many other people find games on phones useful. I often find myself waiting around somewhere (pub, meeting room, bus etc) and carrying very little in the way of entertainment except my phone. So being able to have a quick game of chess, or whatever, is a great way to pass the time.

Sure it's something I could live without (as is pretty much every gadget that I own), but that doesn't mean it's not useful.

Re:Wow! Where'd'ya find that?

[Tintivilus]

keep finding more and more features that we don't need while ignoring the one feature that we all demand: reliable voice coverage.

Why does everybody think cell phone manufacturer's are the ones who are installing cell sites? I can make a simple voice phone if I want to, but it's not going to do anything at all to the number of cells in the field. Cell manufacturers take the radio performance of their handsets very seriously -- but that means precisely jack when there's no signal to pick up, or your carrier doesn't have a roaming agreement with any of the networks your phone can see

Re:bah...

[kasperd]

I don't want antivirus on my phone. Because antivirus is an attempt to cure the symptoms rather than the disease. The solution to the virus problem is first of all to avoid dangerous features. That is number one reason why so many viruses target outlook. The rest of the email clients don't have all the dangerous features. The same should hold for phones. Some code I download from an arbitrary location should not have uncontrolled access to all of the phones features. That means it shouldn't be able to send an SMS without the users acknowledge, and it should not be able to make phone calls, neither should it be able to prevent the user from making phone calls.

But security is more than just that. It also means they have to carefully review their code so most bugs gets squashed before the software is released. And a layered design would be a good idea. At one of the lower layers you put basic functionality that controls making and receiving calls and likewise messages. This layer must also ensure, that you can always get access to those features. So a program I download just may not be able to take complete control over the user interface. This shouldn't prevent anybody from for example creating a phonebook with some fancy features, that you can download from the net. But it may never be able to actually perform the calls, it can provide the numbers, and the user will actually see the number and have to press the dial button himself to make the call.

Re:Great....

[Anonymous Coward]

Yes, but computers are modular, and you can actually buy (or build) a computer without a CDROM drive or floppy drive even. Also, software (of the type you buy) comes on CDs, and so does music, so you NEED the CDROM drive. But when over half the phone models have cameras and play mp3s, and 80% have colour screens, and almost none have a decent built-in ring tone anymore, all those features add weight, cost, points of failure, and battery drain. They may be useful to some, even many, people, but you almost can't buy a decent phone these days that just makes calls and lasts a decent amount of time between charges.

And they're not even that small! I am actually surprised at how large some of the new phones are! What the fuck, I thought things were supposed to get smaller, not bigger. I still have a Nokia 6160 (I know, /me hangs head in shame), the model is almost 10 years old now, and it is not noticeably bigger than your typical new-fangled handset.