First Destructive Mobile Phone Virus In The Wild

gbjbaanb writes "eek! the BBC is reporting the first mobile phone virus that causes damage is out and about. The virus only works with the Symbian Series 60's OS (no, not the Smartphone) and spreads through an adapted copy of the legitimate Mosquitos game. Once installed, a hidden program sends SMS texts to premium rate numbers. That's not so bad, no doubt the premium rate numbers will be switched off soon but the worst is yet to come - "typically we see them in the wild then copycat ones come along soon after," said Sal Viveros, director of wireless security at McAfee."

Great....

[MP3Chuck]

Yet another reason I'm glad I have my cell phone that ... OH YEA! Just makes calls. Who'd have thunk it?

so who do i sue ?

[Anonymous Coward]

do i sue the phone manufacturer or my provider for flaws in their product that cause me financial loss ?
perhaps after getting bitchslapped in courts is the only way to teach manufacturers that quality counts and YOU WILL be held responsible if you products are faulty

Not quite as I'd have thought.

[YU Nicks NE Way]

According to The Register [theregister.co.uk], the malware was built into Mosquitos to begin with as a copy protection mechanism. I don't know whether to believe it or not -- if it's true, it's a really clever way of recouping development costs, and puts a new twist on "software that calls home".

Of course, worm writers will still catch on quickly anyway, I'll bet.

Re:Not quite as I'd have thought.

[garcia]

For most people SMS' will show up on their bill as most people don't do much FREE sending of SMS' (at least here in the states). I think that these people would see their bill go up and find out the reason for it.

Personally, if I were charged for SMS' without my consent I would want to recoup those costs myself as well.

Not a virus

[nmg196]

This is not a virus. It doesn't spread itself. It's simply a trojan that you have to manually download and install by bypassing two security warnings after first having found it on an irreputable site or P2P network. Hardly a threat.

I'm also not sure it deserves to to be called destructive either. It doesn't destruct anything or in any way modify any other services on your phone - it simply sends SMS messages. It would be better classed as "expensive" :)

Re:bandwith is not necessary to be annoying

[wwest4]

The quote seems in line with intuition at least... how would it go - as the bandwidth increases, practical usage will increase, the number of active nodes will increase, and voila a petri dish for more sophisticated viruses. Sure, it's not the only catalyst, but bandwidth seems to have something to do with it.

Re:Great....

[nlawalker]

I wish I had a phone that just made calls. It seems that mobile phone companies still have yet to make a phone that can even do that well. I'd love to see a push forward in a more usable interface too... obviously, it's tough to change things such as the stanard telephone key layout, but my newer Nokia phone, for example, has basically the same look and feel as one of the first phones I ever had years ago. Also, the power button is a pain in the ass, the battery cover is very flimsy, and the color screen (of which I really wouldn't care if it was black and white) is difficult to read even in mild sunlight.

Once they make a phone that fixes problems like these and works with the service in a way that I can make and receive good quality calls, THEN I'll be interested in what they have to say about other uses of mobile phones.

Re:That is why...

[Launch]

Product integration is a great idea. I'm happy my phone has a digital camera in it, I'm happy I can sync it to outlook. Both my PDA and Digital camera are factors of 10 better than the tools on my moto V400.... but when I'm steping out of the house it's nice to not have to gear down unnessicarly.

A phone needs to be just everything it can possibly be.

Re:Not quite as I'd have thought.

[Anonymous Coward]

It isn't "clever" at all - a lot of commercial software does the same thing over TCP/IP if available. (TeXtures and QuarkXPress for Mac both did this, though one could just unplug eth0 while the app booted...)

The ONLY difference here is that it uses a premium, possible-pay-per-use medium to make the calls and is thus, afaic, not too different from those porno over-seas 900 dialers that were a big deal last year. This is not clever and it is probably illegal under computer abuse acts (sure would be in the US), at least if the SMS "feature" was really a secret as the author was quoted.

Re:bah...

[Rosco P. Coltrane]

Just entertain the thought for a moment: could it be , just by some remote chance, that with Microsoft about the kill the A/V market on Windows, the recent release of new viruses on the previously untouched smart cellphone target isn't just a coincidence?

I mean, you've got to admit, cell phones that do many things a computer does and require a complex OS aren't exactly new, and they've always been "networked" (by definition), but somehow it's only now that this market could provide a bail-out route from the Windows platform for A/V companies that these viruses come out. Strange isn't it?

Re:Nope - "virus" is a broken anti piracy system

[Nurseman]

Okay, I not only RTFA but I RTF Link (The Register) too, I don't get this part:

Although the Mosquitos saga turns out to be an urban myth, the recent discovery of the first malware capable of infecting smartphones shatters the comforting belief the mobile phones are safe from viral infection. The threat is very low at present but shouldn't be completely discounted. ®
So is it real or urban myth ? Also, as repeatedly mentioned, you must install an run "Warez" version of this game for it to work. Let the buyer beware !

Re:so who do i sue ?

[mkeroppi]

The thing is the victim is not the one spreading the trojan. Receivers of SMS are those that pay for it. The Trojan is inside the sender's phone.

Re:Cell Phone viruses

[argent]

The requirements for a virus or a worm to spread are (a) a place for the virus to hide, (b) a way for the virus to copy itself to the victim, and (c) a way for the virus to launch on the victim. Note that "bypass local OS security" isn't on this list.

Client file system protection makes (a) harder, but it doesn't prevent it... I suspect it's impossible in principle to prevent (a) short of running everything in a sandbox that's destroyed when you quit using it. The biggest advantage that open source systems have is that they make (c) harder... you don't have to depend on the vendor recognising and fixing security holes and design flaws... or refusing to fix them for tactical reasons.

This is just another reason for me to carry a cheap dumb phone and a separate PDA that's only in communication with the rest of the universe while I'm actively using it for that purpose. That makes requirements (b) and (c) dependent on my doing something stupid.

Remember the Pakistani Brain?

[billsf]

How history repeats. The Pakistani Brain is said to be the first virus 'in the wild' and it is a true virus. Another form of illegal copy protection was tried by a rather respected engineering software company. If you forgot the dongle, the whole LAN (except for the Unix machines) slowed down to a snail's pace. The solution was to re-install Windows95. Even for a small company this was very expensive. The vendor offered a non-protected version to make up for this. They hopefully removed what was probably the first true Windows virus. (True viruses are _extremely_ rare.)

Is there any question who to sue? Any use of malware for copy protection is unjustified and clearly in violation of the law in most places. This kind of crap has been tried before and it never benefits anyone.

Re:Nope - "virus" is a broken anti piracy system

[gl4ss]

it's not a virus anyways..
it only gets distributed by people.. ..and only gets installed by people who want to install it.

it's a sms sender attached to a warez release - nothing more nothing less.

Fingers pointing - wrong direction

[t_allardyce]

Of course all fingers will be pointing at the authors, and even though they are assholes, the real problem is not in this 'virus' its in the the phone or the OS - it simply should not be letting add-on software have access to the sms functions! its just like the whole outlook crap. Lets say you give your plane passengers a network they can plug their laptops into to use the net, you dont then connect that network to the planes' own bloody computers and let anyone have access to the "flying the plane" functionaliy, its just stupid and if you did that and someone plugged in their laptop and said "hey look at this, i think ill fly this plane and crash it" as much of an asshole as they are it would still be your fault. This sort of stupidity has to stop - sue the people responsible.

Re:Wow! Where'd'ya find that?

[sfm]

All these added features in a cell phone.....it makes sense from a manufacturers point of view.

They are all asking their R&D departments to come up with features that give the most bang for the $'s spent. While there are serious cost limitations on how the communications portion of the system can be improved, extra games are simply added software and attract customers attention.

Cameras can be explained in a similar (but more complicated) way. Camera hardware is an added expense, BUT the phone service providers can charge a premium for data (picture) transfers on top of the voice connection.

Improvements in the telephone portion of the system are usually subtle and go unnoticed by the general public. If there were some source of information comparing a cell phones basic features (Sound Quality, Battery Life, Larger possible service area....) and this was EASILY available to the public, you may start seeing the phone manufacturers start giving us features we really care about.

Personally, I could give two hoots about pictures and mp3's coming through my phone. I would be quite satisfied with good voice service and SMS. Maybe if more people expressed this idea, there would be a reaction in the market.

Re:Not quite as I'd have thought.

[decepty]

According to Symantec, this virus was dicovered on January 7th [symantec.com]... Did it really take 7 mos. to get out to the wild/become a threat, or is the BBC just having a slow news day?

Re:bandwith is not necessary to be annoying

[cbiltcliffe]

If that's true, then phones shouldn't be able to run software at all!

BINGO!! That's probably the smartest thing anybody's said so far!

Some carriers make it hard to load apps

[juanfe]

I run a developer program for a US carrier. We make it fairly difficult for everyday users to install applications on their phones that have not been blessed/sanctified, particularly to avoid widespread dissemination of things like this.

We're frequently lambasted on public forums and through nastygrams from folks (mostly developer types) who keep on insisting that these restrictions are unconscionable, that information wants to be free and that they bought the phone and they should be able to do whatever they want to it.

You can imagine the reception I get whenever I explain that the restrictions are there, in great part, to protect customers from unwittingly loading malware on their phones that would cause them to get ridiculously huge phone bills.

Mild pleasure to be taken from vindication, I guess.