MOBILE APPLICATIONS: Get Alert before It Gets Wild

The world is going mobile. A large number of people take for granted the ability to communicate with friends and family anywhere, anytime, at a reasonable cost. 

Estimates of the mobile’s pervasiveness grow with the release of each new survey report. Some industry analysts estimate that the number of wireless devices worldwide will outnumber desktop and notebook computers in the ratio of 4:1 by 2005.

International Data Corporation estimates 1.3 billion WAP-enabled handsets worldwide by 2004, up from 99 million by

the end of 2000. 

The migration from simple voice communication to data communication is also underway. Cahners In-Stat Group projects 742 million wireless Internet subscribers worldwide in 2004 and 607 million SMS subscribers in the same year

Present and Future Threats



Just like other communication or computing media, wireless presents a canvass for less desirable applications.

Its rapid spread presents new opportunities for hackers, disgruntled employees, and others to prove their prowess in spreading viruses and malicious codes.

The vulnerability of malicious codes is much higher for wireless devices than for computing mediaÂ

On the surface, the vulnerability of wireless devices to viruses and malicious code threats appears to follow the same patterns of vulnerabilities that the wired world has experienced. Yet, a closer inspection shows that the vulnerabilities here are more numerous and complex. Such threats can be categorized into three groups: application-based threats; content-based threats; and mixed threats (a power-packed combination of application and content-based threats, not yet seen in the real world).

Application-based Threats: These are posed by actual executable malicious codes that latch onto existing or new wireless applications. Such threats are potentially present anytime a software program is downloaded to, or executed on, a wireless device, especially when the program is downloaded or received from an unknown source. In the wired world, these threats are roughly analogous to the early viruses borne by executable programs.

The first malicious application-based program that specifically targeted the Palm operating system used in Palm Pilot personal digital assistants (PDAs) was called Liberty Crack. The free software, which could be downloaded from a website or accessed via Internet Relay Chat (IRC) rooms, pretended to convert the shareware Liberty Game Boy program into a registered version. When the program was executed, the user was not aware that, in the background, the program was actually deleting all of the executable applications in the handheld device. However, it did not affect the underlying Palm operating system or the embedded applications.

Liberty Crack and similar Trojan horses, which are likely to spread very slowly in the wild, represent a relatively low threat. Liberty Crack is designated a Trojan horse since it masquerades with one purpose, while harboring a surprise purpose (like the metaphorical Trojan horse of ancient Greece in which soldiers hid inside a hollow wooden horse presented as a gift by the Trojans).

While actual incidences of Liberty Crack have not been encountered in the wild, this Trojan horse is significant in its proof of concept–demonstrating that malicious code can be downloaded and may adversely impact PDAs. Many analysts have labeled Liberty Crack, which first made news in late August 2000, as a harbinger of more malicious code to come. For example, future wireless Trojans could steal data, such as address book information, portal passwords, and other confidential information.

An independent developer for Palm computers, know as Ardiri, assumed credit for designing Liberty Crack, saying its original purpose was to clean up redundant data files. After providing the program to a few friends, Ardiri witnessed its proliferation within the Palm developer community, which then numbered about 80,000. Seeing that he may have caused a problem, he posted warnings about Liberty Crack on various Palm developer sites.

This evolution and proliferation of the Trojan horse raises two key aspects of application-based threats. First, it illustrates the potential for proliferation of malicious code, especially in the form of a Trojan, when it is disguised in a program of perceived value that is offered for free. Second, this early case reminds us that operating systems in the widest use are likely to be the initial playgrounds of writers of malicious code. The large number of shareware applications available and the growing number of legitimate code developers in the community increase the likelihood of malicious behavior. Further, the large number of potentially affected users raises the potential profile of any malicious activity–an enticement for those seeking the limelight for destructive activities. Since the discovery of Liberty Crack, antivirus companies have been tracking a number of other application-based, potentially destructive Palm programs, including Palm Phage–the first known virus designed to affect Palm PDAs. First seen about one month after Liberty, Palm Phage infects all third-party application programs when executed. Instead of running normally, infected executable files infect other third-party applications programs. Palm Phage can theoretically spread to other machines when the Palm is synchronized with a PC or when a Palm beams data via an infrared link to another Palm. 

Application-based threats may involve FTP or HTTP downloading of an executable program through the wireless gateway to the device. The virus or malicious code can also spread to other wireless devices through direct beaming via infrared or RF (e.g. Blutooth) or by synchronizing the device with  a PC.

At about the same time, several joke programs have been observed on PDAs that operate on the EPOC operating system. Little more than nuisances, these programs (e.g., EPOC Alone.A and EPOC_Ghost.A) disturb users by sounding an alarm or flashing lights on the EPOC enabled device. While these programs do not spread from device to device, they demonstrate that malicious code can cause bothersome disturbances on wireless devices.

Moreover, the wireless world is seeing the regular birth of new technologies, with more on the horizon. Some of these will expand the functionality of the device while others will dramatically change their connectivity with other devices. (e.g., Bluetooth technology).

No one has lost data as a result of Palm Phage and the EPOC joke programs. But this malicious code ups the ante for such codes in the wireless arena–demonstrating that self-replicating viruses are not only possible to develop, but easy to develop.

And with the expanded functionality of these devices in the coming months and years… so will expand the potential for new threats from malicious code.

Content-based Threats



In content-based threats, the content itself (e.g., derogatory messages) is the threat, or malicious use of the content is the threat (e.g., spamming of e-mail). While e- mail has become a ‘killer app’ of the wireless world, it is also one of the most vulnerable to attack. Hence, the most common content-based threats to the wireless infrastructure occur through infected e-mail or
spam.

The first content-based Trojan to attack wireless devices appeared in June 2000 in the form of the Visual Basic Script (VBS) Timofonica on the wireless network of Madrid, Spain-based Telefonica SA. Timofonica spread by sending infected e-mail messages from affected computers. When an infected e-mail reached a PC, it used Microsoft Outlook 98 or 2000 to send a copy of itself via infected e-mails to all addresses in the MS Outlook address book. 

But Timofonica did more than that. For each e-mail it sent, the Trojan also dispatched an SMS message to a randomly generated address at the correo.movistar.net Internet host. Since this host sent SMS messages to mobile phones operating on the European GSM standard (the phone number is the prefix of the e-mail address in the message), the Trojan tried to spam people with SMS messages–in this case a derogatory depiction of Spanish telco provider Telefonica

Moviles.

Like the Liberty Crack Trojan, the Timofonica attack was benign and caused little real damage. Further, although the program reached out into the wireless world, it propagated via land-based PCs and e-mails, not from phone to phone directly.

Nevertheless, Timofonica demonstrated in the wild the ability of malicious code to tap into the wireless infrastructure and spread with great speed. Timofonica had the potential to flood the wireless network with messages, reducing its performance or even impairing its ability to meet load. At the same time, for wireless users billed on a per-message basis, receiving spam actually costs them money.

A similar program was observed on Japan’s ambitious i-mode system. Japan’s largest cellular phone maker, NTT DoCoMo, developed and owns the i-mode system, which appears to have successfully captured both consumer and business markets for wireless device transactions, wireless Internet access, and instant messaging in Japan. With more than 10 million users only 1.5 years after its launch, some analysts see i-mode as a feasible alternative to the WAP being used in Europe and touted in North.

In June 2000, a piece of malicious code began to send a particular message to wireless users on the I- mode system. When the user received the message and clicked on a hypertext link, the program dialed 110–the Japanese equivalent of 911 in North America–without the prior knowledge of the user. This loading of the emergency service lines with useless calls demonstrated the ability of malicious code to reach out to other key infrastructures and cause serious damage.

Another potential content-based threat that may soon enter the wireless world, especially as wireless devices become more sophisticated over time, is embedded script viruses. Prior to the first observation of this class of viruses, viruses could only be contracted through e-mail by double clicking on an infected e-mail attachment. With the discovery of embedded script viruses, such as the VBS_Kakworm and VBS_Bubbleboy, viruses can now infect a user’s system when the user simply opens the e-mail itself. VBS_Kakworm remains one of the world’s most prevalent worms and has ranked consistently as one of the top ten viruses on Trend Micro’s Virus Tracking Center, (at http://wtc.trendmicro.com/wtc) since it was originally reported in December 1999.

Mixed Threats



Purely application-based wireless threats, in which an executable program carries some malicious code, affect the receiving device. The spread of this malicious code is slow since the user must download a program with malicious code and execute the program to become infected. At the other end of the spectrum are content-based threats that spread relatively benign text messages or generate cellular phone calls. Yet, these threats can spread rapidly due to the nature of their propagation medium–entire address books of e-mail programs.

The third type of threat would involve the worst of these previous two types of threats combined. While not yet seen in the wild or even in the laboratory, a threat that integrates techniques from both of these threat types could be formidable indeed.

Imagine a virus that involved the unwitting download of sophisticated malicious code attached to a shareware program that wiped out wireless device applications and propagated itself rapidly across the wireless infrastructure via address books. Such a virus could cause damage to each device it encountered and spread across a country or the world, practically overnight. 

Threats on the Horizon 



 Already, in many parts of the world, no longer mobile phones are used exclusively for voice communication. Also, as the cellphone technology is merged with the platform-independent Java programming language and emerging technologies such as Bluetooth, these cellphones will enable sending and receiving of data and applications, even from one wireless device to another wireless device directly. The line between PDAs and cellular phones has already blurred, and few dispute that the integrated, transaction-enabled wireless device that handles both voice and data is soon to become a widespread reality. So while consumers will download games that can be played offline, access the stock market, and pay for groceries with their wireless devices, business people will read e-mails, send short messages, and read graphics and charts on their wireless devices. Unfortunately, this wireless utopia is unlikely to come without a price–increasingly sophisticated wireless threats that use the same capabilities (connectivity, functionality, and speed). Viruses can spread from one wireless device to another, from wireless device to point-of-sale device (e.g., at the grocery counter), and from wireless device to PC. The latter path opens up a mode of transmission for viruses to wireless and wired internal LANs, and further propagation across the Internet.

Currently, corporate IT managers have little control over what wireless and handheld devices their users are connecting to the network. Connecting a portable device (such as a PDA) into a PC that is connected to the network is similar to inserting a floppy disk that has not been scanned for viruses into a computer.

Fighting the Wireless Threat



A protection solution for the wireless infrastructure must have the following attributes: 

• Multiple layers of protection to address the varied entry points and transmission paths of viruses and malicious code 
• Integration of centralized management of all antivirus solutions, including maintenance of gateway, server, desktop and device-level protection 
• Implementation within the wireless infrastructure for early detection to minimize damage and costs 
• Tools tailored to the wireless threat, rather than merely applying wired world tools 
• Mechanisms for automatic maintenance, updating and upgrading of virus protection, since such protection is only as good as the last update 
• Involve all parties via increased awareness of the potential threat, including corporate IT managers, service providers, operating system and application developers, and end usersSecurity solutions providers have already begun releasing a sequence of products that address the virus and malicious code protection needs of the wireless community.

These products can be categorized into three groups: 

Desktop Computer Solutions: Since the PC synchronization function is a key transmission path for the spread of many wireless viruses and malicious code, protection at the PC is a must. These desktop solutions intercept wireless viruses and malicious code before they can infect the wireless device.

Wireless Device Solutions for Device-to-device Threats: Wireless devices have different operating systems like Symbian’s EPOC, Palm’s Palm Operating System, and Microsoft’s Windows CE system. To be able to protect these devices from wireless viruses and malicious code, separate product is usually needed for each platform. Just as in the normal case of a desktop computer, these products protect the wireless device by performing functions such as scanning, quarantining, and cleaning. As wireless devices have limited memory resources, the wireless counterparts of the antivirus software have to be light.

Wireless Gateway Solutions: Since all e-mail sent to wireless devices and all applications wireless devices download must ultimately originate on some type of server, virus and malicious code protection for the wireless infrastructure must begin at these servers. Corporate administrators can install wireless gateway virus solutions to protect corporate users, while service providers can install it to protect their subscribers.

Excerpts from a Trend Micro whitepaper 

WELL-KNOWN MOBILE VIRUS ATTACKS

Timofonica–June, 2000



The earliest significant attack on the mobile world. Spanish telephone company Telefonica was the target of this malicious attack. A worm called Timofonica–similar in nature to the Love Bug’ virus–replicated itself among computer users. The e-mail message discredited

Telefonica, and then asked the reader to click the attachment for more information. An aspect of this ‘Love Bug’ variation was that it contacted a SMS gateway and dialed a random mobile subscriber’s phone number.

Through the SMS system, the worm passed its message against Telefonica to the text display on the mobile handset. Fortunately, the worm did not infect cellular phones, nor did the phones pass any malicious code along. However, the attack demonstrated a vulnerability that exists with the new smarter mobile devices like cellular phones and

PDAs.

Palm OS/Phage.963–September, 2000



This virus specifically targeted wireless units using the Palm OS. Unlike previous PDA viruses, which use file sharing, Phage also uses e-mail as a direct means of transfer. After the virus enters the Palm device, it attacks all non-preloaded programs in the device. When the user tries to load an infected application, the screen displays a dark gray pattern and then closes the program. 

i-Mode 110 virus–June, 2001



This denial-of-service virus hit an estimated 13 million users of DoCoMo’s mobile Internet service,

i-Mode. It took control of phones and dialed 110, Japan’s emergency hotline number. This malicious code was passed in e-mail, not as an attachment. Victims were forwarded a link to a website where, once clicked the right button, a scripting code launched a DoS attack aimed at the Japanese emergency service number.

Slammer–January, 2003



Using a buffer overflow to take over a server, this worm sends out a flood of packets, an effect similar to a DoS attack. Similar to the famous Code Red but not as destructive. The attack affected several Asian countries including Thailand, Japan, Malaysia, the Philippines and India, slowing down Internet traffic drastically. South Korea was the worst hit with both wired and the mobile Internet being shut down for almost half a day.