Avoid Malicious Software





Avoid Malicious Software

Protect your Nokia phone against mobile phone viruses, malware, Trojan horses, Bluetooth scanners, and other malicious programs.

As a powerful and connected computing device, the Nokia smartphone suffers the same vulnerability as other connected computersviruses and other malicious programs can attack them over the network. Those programs can potentially harm the device, leak sensitive information, cause data loss, or even result in big service charges for you. Compared with regular computer viruses, a mobile phone virus can be especially harmful, since it can spread in peer-to-peer local networks; worse, most phone users are not prepared to deal with such viruses.

Basics of Malicious Programs

Before you can act to protect yourself, you need to know a little about how malicious programs can attack your mobile phone. The following is a list of representative malicious programs on smartphones and the harm they cause:


Force the phone to perform operations that interfere with regular user operations

The original Cabir virus (http://www.sarc.com/avcenter/venc/data/epoc.cabir.html) forces your phone to scan the Bluetooth network all the time, quickly draining the battery.


Disable some device functionality

The Dampig virus (http://www.sarc.com/avcenter/venc/data/symbos.dampig.a.html) replaces some key system libraries and makes many applications, including the Bluetooth user interface (UI), useless on your phone. The Locknut virus (http://www.sarc.com/avcenter/venc/data/symbos.locknut.html) can cripple your phone to the point that you cannot make voice calls. The Fontal.A virus (http://www.sarc.com/avcenter/venc/data/symbos.fontal.a.html) does not cause immediate problems for your phone, but it does secretly replace several key font files, which prevents the phone from booting up once you reboot it. Bluetooth scanners can send malformed Bluetooth messages to your phone and crash its Bluetooth program, forcing you to reboot your phone to recover.


Make phone calls or send Short Message Service (SMS) messages to expensive caller-paid services

The Mosquitos Trojan (http://www.sarc.com/avcenter/venc/data/trojan.mos.html) sends messages to premium SMS service numbers without your knowledge or approval. The message costs are billed directly to your service account. Some Bluetooth-based exploits allow a Bluetooth scanner running on a nearby device to remotely dial your phone or make arbitrary connections using AT commands.


Leak out sensitive personal information

Malicious Bluetooth scanners can allow a cracker to remotely steal the entire memory contents of your phone from another nearby device without your knowledge. In theory, it is also easy to develop a mobile Trojan that gathers information about your contacts, calendar, and media Gallery, and then sends the information to a third-party server on the Internet.

Cabir is the first virus known to target Nokia Series 60 devices. It is largely a proof-of-concept virus. Cabir spreads over Bluetooth and does not contain a payload (the malicious software that does the actual harm). It is benign, except for the fact that it drains your battery with continuous Bluetooth searches. Later variations of the Cabir virus, such as Cabir.b and Lasco, can do real harm to you and your phone.


Based on their attack methods, malicious software on smartphones can be divided into two categories:

  • Mobile virus or Trojans that are downloaded and installed into your smartphone

  • Bluetooth scanners that remotely exploit your phone from another nearby device

Now, let's discuss those two types of attacks in more detail.

1.1 Viruses and Trojans.

Currently, all Nokia mobile phone viruses are written in Symbian C++ and are deployed to devices as Symbian programs. Although in theory Java-based viruses are possible, they are substantially more difficult to develop and deploy, since Java applications must run in the Java Virtual Machine and must conform to strict Java security policies. Since Java applications do not have direct access to your phone's physical memory or other low-level device-native features, it is less likely that they can breach or circumvent the phone's security policies. In fact, there is no known Java virus for Nokia phones. Since Java is the only programming platform on Nokia Series 40 devices, there are no known Nokia Series 40 viruses.

Mobile viruses and Trojans must be downloaded into your phone for them to take effect. Viruses and Trojans can spread in three primary ways:


Trojan download

The malicious program can present itself as a known (or appealing) Symbian program and trick you into downloading and installing it directly. For instance, the Mosquitos Trojan virus poses as a cracked version of the popular Symbian game, Mosquitos, on certain file-sharing networks. A cracked version of a game is a version that's been illegally modified to remove the registration module, so you can play it for free. The idea is that you'll run it, thinking you are running a game, but the Trojan virus will activate when you run it. Other examples include the Dampig virus, which pretends to a cracked version of the FSCaller application, and the Skulls virus, which pretends to be a theme manager application. To prevent Trojan viruses, you just need to be careful about the sources of the programs you download. I recommend that you use only legitimate software downloaded from well-known web sites. Beyond the immediate concern of security, it also helps if you don't try to circumvent copy protection, and instead, support the developers that work hard on software you want to use.


Bluetooth

Viruses can spread over the local Bluetooth network. An infected device tries to find all Bluetooth devices in its neighborhood, all the time. Once a device is found, the infected device sends the program over to the new device. The recipient is then presented with a message to accept the incoming file and install it. The original Cabir virus spread in this way. If the recipient is not well informed or if the message is deceiving, he might just install the program. For instance, the Gavno virus presents itself as a "software patch," borrowing a familiar concept from Microsoft Windows to deceive users. Once the program is installed, it can execute itself and then start to search for nearby Bluetooth devices to spread further.


MMS

A Bluetooth-based mobile virus can infect devices only within a range of several meters. Hence, the virus can travel only as fast as the devices move, which is the speed of airplanes in modern societies. Some newer mobile phone viruses, such as the Commwarrior, can spread over MMS. The virus tries to send itself via MMS to 256 random phone numbers from your Contacts list. This can potentially allow the virus to spread at the speed of telecommunications, which means it can spread across the world in a very short period of time. And what do you do when you receive an MMS from a friend? You open it, of course. This is the same kind of social engineering that permitted so many Microsoft Outlook-based viruses to spread over the years.

Some Nokia devices' Bluetooth implementations have known security vulnerabilities that allow files to be received without user acknowledgment. If this vulnerability is exploited by a Bluetooth-based virus, it can be extremely dangerous.


1.2 Bluetooth scanners.

Bluetooth scanners exploit insecure implementations of the Bluetooth system software on some phone models. Several Nokia phone models are known to be vulnerable (e.g., Nokia 7650, 6310i, etc.). You can get more information, including an updated vulnerable-device list, from http://www.thebunker.net/security/bluetooth.htm.

Bluetooth exploits were first discovered by Adam Laurie, of A.L. Digital Ltd., in 2003.


A Bluetooth scanner has to be physically close to your phone (e.g., in a conference hall or classroom) for Bluetooth to work. There are three known types of Bluetooth attacks:


Bluesnarf

This type of attack can be launched from untrusted (a.k.a. unpaired [Hack #11]) devices. The attacker can steal information, including your Contacts list, calendar, photos, etc., from your phone.


Backdoor

This type of attack has to be launched from a previously paired device. The attacker can get access to almost all the functionality on your phone.


Bluebug

This type of attack involves creating a Bluetooth serial profile [Hack #11] to your phone, and then hijacking the phone's voice and data connections.

Bluejacking is often cited as a fourth type of Bluetooth attack. But it is really just a prank. It works as follows. The prankster creates a contact entry on her own phone and enters a prank message into the "name" field. For instance, the "name" of this contact might be "Your phone belongs to us." Then, the prankster sends the contact to random Bluetooth phones as a business card [Hack #35]. The recipient suddenly sees an unsolicited prank message"Your phone belongs to us"on his phone screen.


Preventive Measures

The best protection is prevention: knowing how the malicious programs work. You can take several simple precautions to minimize your risk.

2.1 Only install trusted programs.

The key to prevent viruses and Trojans is to be extremely careful about what you install. If you download .sis applications from the Web, you need to verify that they are indeed legal and that they come from an authorized source. If you receive an application over Blue-tooth, as a general rule do not install it unless you already had a conversation with the sender and are expecting it. Do not install any program from email or MMS message attachments.

2.2 Minimize Bluetooth exposure.

To minimize the risk of Bluetooth-based viruses and Bluetooth scanners, you should turn off Bluetooth in public places. If that is not possible, you can make the device invisible (see Figure) so that it does not show up when other devices scan the network. If you do receive a Bluetooth message from a friend, talk to her and confirm her intentions before you accept or install the application file.

Making the phone invisible on Bluetooth networks (for both Series 60 and Series 40 devices)


2.3 Use a personal firewall.

Most malicious mobile programs rely on the network to spread or work. You can prevent them by controlling the network connections on your phone. One of the most effective network control tools is a firewall. By installing a firewall on your phone, you can:

  • Prevent unauthorized Bluetooth or General Packet Radio Service (GPRS) incoming connections and file transfers

  • Prevent Bluetooth scanners from discovering or pairing with your phone

  • Prevent Bluetooth scanners from accessing any data or services on your phone

  • Prevent Trojans from sending out any information from your phone

The Symantec Mobile Security for Symbian (currently in beta) provides a personal firewall for Nokia Series 60 phones. You can download it from https://www-secure.symantec.com/public_beta/. Via the firewall, you can specify several different levels of communication constraints. Figure shows the mobile phone firewall in action.

Remove the Virus

If you know the name of the virus that infected your device, you can search for it via Google. You can probably find a lot of security bulletins from research sites such as http://www.symantec.com and http://www.f-secure.com. Most of these bulletins include a complete description of the virus, including the files it installs on your device. For instance, the following two URLs point to the F-Secure and Symantec bulletins for the Cabir virus:

Mobile firewall on a Nokia Series 60 device from Symantec Mobile Security for Symbian


With a file browser tool such as FExplorer [Hack #20], you can follow the instructions to remove the virus from your device.

In practice, it is difficult to know the exact name of a virus. For instance, the Cabir virus has at least eight very similar variations. So, the preceding method is not always practical in the real world. In most cases, a much simpler way to erase the malicious program and reverse the damage is to perform a deep reset. "Reset and Restore Your Phone" [Hack #23] discusses how to reset your phone and then restore its functionality via data backups.

If your phone has been infected with a virus and you do not know which programs are infected, it is probably a good idea to be conservative and install all third-party programs from scratch instead of simply reloading them from the backup.


Use Antivirus Software

In the previous two sections, I covered generic approaches to protect your phone and recover from an attack. But those approaches do not always prevent all attacks. Manually resetting the phone is time consuming and does not reverse the financial loss you might have incurred from the virus.

If you are really concerned about mobile viruses, you can invest in antivirus software to protect your phone. Antivirus programs for Symbian-based phones (e.g., the Nokia Series 60 smartphones) are available from the following vendors:

Like antivirus software on computers, mobile antivirus software scans all files on your device to look for specific patterns of known viruses (a.k.a. the virus signature). If it finds one, it isolates the infected file and presents you with the option to remove it. Figure shows a full scan performed by the Symantec Mobile Security for Symbian program (beta).

Scanning the entire phone using Symantec Mobile Security for Symbian


The full device scan takes a long time and consumes a lot of battery power, so don't perform a full scan on a regular basis. To save time and energy, the antivirus programs support incremental scan modes that check only incoming files, such as files you've downloaded or created using software on your phone. After the first full device scan, the antivirus programs run in the background and automatically scan all incoming files from the Web, Bluetooth, MMS, and email messages, and check for virus signatures as they arrive. If they detect an infected program, you will be advised not to install it.

As you would expect, the key for a successful antivirus program is to have a complete list of virus signatures to check against. This is a moving target, since new viruses might be written after the antivirus software is released. So, all mobile antivirus programs come with a subscription service that allows the program to update its virus signature database periodically over the Internet via the phone's data connection.


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows