March 25, 2011, 8:58 p.m.
posted by clayrat
Avoid Malicious Software
Protect your Nokia phone against mobile phone viruses, malware, Trojan horses, Bluetooth scanners, and other malicious programs.
As a powerful and connected computing device, the Nokia smartphone suffers the same vulnerability as other connected computersviruses and other malicious programs can attack them over the network. Those programs can potentially harm the device, leak sensitive information, cause data loss, or even result in big service charges for you. Compared with regular computer viruses, a mobile phone virus can be especially harmful, since it can spread in peer-to-peer local networks; worse, most phone users are not prepared to deal with such viruses.
Basics of Malicious Programs
Before you can act to protect yourself, you need to know a little about how malicious programs can attack your mobile phone. The following is a list of representative malicious programs on smartphones and the harm they cause:
Force the phone to perform operations that interfere with regular user operations
The original Cabir virus (http://www.sarc.com/avcenter/venc/data/epoc.cabir.html) forces your phone to scan the Bluetooth network all the time, quickly draining the battery.
Disable some device functionality
The Dampig virus (http://www.sarc.com/avcenter/venc/data/symbos.dampig.a.html) replaces some key system libraries and makes many applications, including the Bluetooth user interface (UI), useless on your phone. The Locknut virus (http://www.sarc.com/avcenter/venc/data/symbos.locknut.html) can cripple your phone to the point that you cannot make voice calls. The Fontal.A virus (http://www.sarc.com/avcenter/venc/data/symbos.fontal.a.html) does not cause immediate problems for your phone, but it does secretly replace several key font files, which prevents the phone from booting up once you reboot it. Bluetooth scanners can send malformed Bluetooth messages to your phone and crash its Bluetooth program, forcing you to reboot your phone to recover.
Make phone calls or send Short Message Service (SMS) messages to expensive caller-paid services
The Mosquitos Trojan (http://www.sarc.com/avcenter/venc/data/trojan.mos.html) sends messages to premium SMS service numbers without your knowledge or approval. The message costs are billed directly to your service account. Some Bluetooth-based exploits allow a Bluetooth scanner running on a nearby device to remotely dial your phone or make arbitrary connections using AT commands.
Leak out sensitive personal information
Malicious Bluetooth scanners can allow a cracker to remotely steal the entire memory contents of your phone from another nearby device without your knowledge. In theory, it is also easy to develop a mobile Trojan that gathers information about your contacts, calendar, and media Gallery, and then sends the information to a third-party server on the Internet.
Now, let's discuss those two types of attacks in more detail.
1.1 Viruses and Trojans.
Currently, all Nokia mobile phone viruses are written in Symbian C++ and are deployed to devices as Symbian programs. Although in theory Java-based viruses are possible, they are substantially more difficult to develop and deploy, since Java applications must run in the Java Virtual Machine and must conform to strict Java security policies. Since Java applications do not have direct access to your phone's physical memory or other low-level device-native features, it is less likely that they can breach or circumvent the phone's security policies. In fact, there is no known Java virus for Nokia phones. Since Java is the only programming platform on Nokia Series 40 devices, there are no known Nokia Series 40 viruses.
Mobile viruses and Trojans must be downloaded into your phone for them to take effect. Viruses and Trojans can spread in three primary ways:
The malicious program can present itself as a known (or appealing) Symbian program and trick you into downloading and installing it directly. For instance, the Mosquitos Trojan virus poses as a cracked version of the popular Symbian game, Mosquitos, on certain file-sharing networks. A cracked version of a game is a version that's been illegally modified to remove the registration module, so you can play it for free. The idea is that you'll run it, thinking you are running a game, but the Trojan virus will activate when you run it. Other examples include the Dampig virus, which pretends to a cracked version of the FSCaller application, and the Skulls virus, which pretends to be a theme manager application. To prevent Trojan viruses, you just need to be careful about the sources of the programs you download. I recommend that you use only legitimate software downloaded from well-known web sites. Beyond the immediate concern of security, it also helps if you don't try to circumvent copy protection, and instead, support the developers that work hard on software you want to use.
Viruses can spread over the local Bluetooth network. An infected device tries to find all Bluetooth devices in its neighborhood, all the time. Once a device is found, the infected device sends the program over to the new device. The recipient is then presented with a message to accept the incoming file and install it. The original Cabir virus spread in this way. If the recipient is not well informed or if the message is deceiving, he might just install the program. For instance, the Gavno virus presents itself as a "software patch," borrowing a familiar concept from Microsoft Windows to deceive users. Once the program is installed, it can execute itself and then start to search for nearby Bluetooth devices to spread further.
A Bluetooth-based mobile virus can infect devices only within a range of several meters. Hence, the virus can travel only as fast as the devices move, which is the speed of airplanes in modern societies. Some newer mobile phone viruses, such as the Commwarrior, can spread over MMS. The virus tries to send itself via MMS to 256 random phone numbers from your Contacts list. This can potentially allow the virus to spread at the speed of telecommunications, which means it can spread across the world in a very short period of time. And what do you do when you receive an MMS from a friend? You open it, of course. This is the same kind of social engineering that permitted so many Microsoft Outlook-based viruses to spread over the years.
1.2 Bluetooth scanners.
Bluetooth scanners exploit insecure implementations of the Bluetooth system software on some phone models. Several Nokia phone models are known to be vulnerable (e.g., Nokia 7650, 6310i, etc.). You can get more information, including an updated vulnerable-device list, from http://www.thebunker.net/security/bluetooth.htm.
This type of attack can be launched from untrusted (a.k.a. unpaired [Hack #11]) devices. The attacker can steal information, including your Contacts list, calendar, photos, etc., from your phone.
This type of attack has to be launched from a previously paired device. The attacker can get access to almost all the functionality on your phone.
This type of attack involves creating a Bluetooth serial profile [Hack #11] to your phone, and then hijacking the phone's voice and data connections.
2.1 Only install trusted programs.
The key to prevent viruses and Trojans is to be extremely careful about what you install. If you download .sis applications from the Web, you need to verify that they are indeed legal and that they come from an authorized source. If you receive an application over Blue-tooth, as a general rule do not install it unless you already had a conversation with the sender and are expecting it. Do not install any program from email or MMS message attachments.
2.2 Minimize Bluetooth exposure.
To minimize the risk of Bluetooth-based viruses and Bluetooth scanners, you should turn off Bluetooth in public places. If that is not possible, you can make the device invisible (see Figure) so that it does not show up when other devices scan the network. If you do receive a Bluetooth message from a friend, talk to her and confirm her intentions before you accept or install the application file.
Making the phone invisible on Bluetooth networks (for both Series 60 and Series 40 devices)
2.3 Use a personal firewall.
Most malicious mobile programs rely on the network to spread or work. You can prevent them by controlling the network connections on your phone. One of the most effective network control tools is a firewall. By installing a firewall on your phone, you can:
Prevent unauthorized Bluetooth or General Packet Radio Service (GPRS) incoming connections and file transfers
Prevent Bluetooth scanners from discovering or pairing with your phone
Prevent Bluetooth scanners from accessing any data or services on your phone
Prevent Trojans from sending out any information from your phone
The Symantec Mobile Security for Symbian (currently in beta) provides a personal firewall for Nokia Series 60 phones. You can download it from https://www-secure.symantec.com/public_beta/. Via the firewall, you can specify several different levels of communication constraints. Figure shows the mobile phone firewall in action.
Remove the Virus
If you know the name of the virus that infected your device, you can search for it via Google. You can probably find a lot of security bulletins from research sites such as http://www.symantec.com and http://www.f-secure.com. Most of these bulletins include a complete description of the virus, including the files it installs on your device. For instance, the following two URLs point to the F-Secure and Symantec bulletins for the Cabir virus:
Mobile firewall on a Nokia Series 60 device from Symantec Mobile Security for Symbian
With a file browser tool such as FExplorer [Hack #20], you can follow the instructions to remove the virus from your device.
In practice, it is difficult to know the exact name of a virus. For instance, the Cabir virus has at least eight very similar variations. So, the preceding method is not always practical in the real world. In most cases, a much simpler way to erase the malicious program and reverse the damage is to perform a deep reset. "Reset and Restore Your Phone" [Hack #23] discusses how to reset your phone and then restore its functionality via data backups.
Use Antivirus Software
In the previous two sections, I covered generic approaches to protect your phone and recover from an attack. But those approaches do not always prevent all attacks. Manually resetting the phone is time consuming and does not reverse the financial loss you might have incurred from the virus.
If you are really concerned about mobile viruses, you can invest in antivirus software to protect your phone. Antivirus programs for Symbian-based phones (e.g., the Nokia Series 60 smartphones) are available from the following vendors:
F-Secure Mobile Anti-Virus from http://www.f-secure.com/products/fsmavs60/
SimWorks Anti-Virus from http://www.simworks.biz/sav/
Like antivirus software on computers, mobile antivirus software scans all files on your device to look for specific patterns of known viruses (a.k.a. the virus signature). If it finds one, it isolates the infected file and presents you with the option to remove it. Figure shows a full scan performed by the Symantec Mobile Security for Symbian program (beta).
Scanning the entire phone using Symantec Mobile Security for Symbian
The full device scan takes a long time and consumes a lot of battery power, so don't perform a full scan on a regular basis. To save time and energy, the antivirus programs support incremental scan modes that check only incoming files, such as files you've downloaded or created using software on your phone. After the first full device scan, the antivirus programs run in the background and automatically scan all incoming files from the Web, Bluetooth, MMS, and email messages, and check for virus signatures as they arrive. If they detect an infected program, you will be advised not to install it.
As you would expect, the key for a successful antivirus program is to have a complete list of virus signatures to check against. This is a moving target, since new viruses might be written after the antivirus software is released. So, all mobile antivirus programs come with a subscription service that allows the program to update its virus signature database periodically over the Internet via the phone's data connection.