Mobile malware: Two years on...

Although many still regard the threat as largely over-hyped, the first self-replicating mobile phone virus was discovered almost two years ago - leading some to now wonder whether, or when the threat will mature into a realistic concern for end users.

On June 15 2004, Finnish antivirus company F-Secure released details of a piece of mobile phone malware that used Bluetooth to try to spread to other Symbian series 60-based mobile phones.

Almost two years on, F-Secure's chief research officer Mikko Hyppönen reports that although there are now more than 200 mobile phone viruses - many of which are variants of Cabir - the problem is unlikely to get as bad as it has with PCs.

Hyppönen, who was last week speaking at the AusCERT conference, told silicon.com sister site ZDNet Australia: "The difference is that PC viruses were first found in 1986 and mobile phone viruses were found in 2004. So we are living in the equivalent of 1988 but in 1988 Microsoft or hardware manufacturers were not doing anything about viruses.

"In the mobile phone world, all the mobile phone manufacturers are working on the problem as are the phone operating system manufacturers, like Symbian, Microsoft and Palm. Operators are on top of this - there are several phones from Nokia that come with antivirus software, which is made by F-Secure."

At AusCERT, Hyppönen presented a talk about current and future mobile phone threats. He explained that malware aimed at mobile phones is close to evolving into something that could make cyber criminals lots of money.

He said: "On any new platform the first malware is made by hobbyists as a proof of concept - the professionals move in later on. This change hasn't really happened yet on the mobile phone side."

One example of a Trojan designed to illegally make money from Mobile phone users is called Redbrowser, which will run on any Java-enabled phone and is 'advertised' as a special web browser that, if installed, will provide the user with WAP browsing.

In reality, Redbrowser is programmed to send vast quantities of text messages to a Russian premium rate number, which could cost the victim hundreds or even thousands of dollars.

Hyppönen said: "Redbrowser starts to send text messages from your phone to that number - as many as it can, as fast as it can and each message costs you around $5."

Another piece of mobile malware that could hit its victims in the pocket is Commwarrior, which first appeared in March 2005 and used both Bluetooth and Multimedia Messaging Service (MMS) to replicate.

MMS is commonly used for sending picture messages but it can also allow mobile phone users to exchange ringtones, files and other applications.

Hyppönen explained: "Say you have 200 numbers in your phone and you get hit with Commwarrior. It will send an MMS message in your name to every single number in your phone. So people get a message from you, they trust you and open up the message and get infected."

If Hyppönen got infected by Commwarrior, it would cost him a significant amount, he said: "You pay for every message so if it cost 50 cents, [200 contacts means] it has cost you $100. I have 1600 contacts so if I get infected it will cost me $800 - that is already a lot of money".

Although Commwarrior infections are not a serious problem at the moment, some mobile phone operators are already feeling the pain, said Hyppönen.

He added: "One operator found that 2.5 per cent and another found 3.5 per cent of all their MMS traffic was not generated by people but by viruses. Another operator we spoke with said that their user support gets around 200 calls a day about mobile phone viruses."

Over the past year, spyware has become one of the biggest problems on PCs so it is not be a surprise that issue has migrated to mobile phones.

At the end of March, F-Secure discovered a "spying application" called FlexiSpy that is designed to record text messages, log calls and even send back recordings of calls to a third party.

Although the application, made by Bangkok-based Vervata, is technically legal and has legitimate uses, F-Secure objected to the fact that once installed there is no indication to the user that so much information is being leaked to a third party.

He said: "You can use it to monitor your 10 year old and it is legal - depending on where you are - and justifiable. But then again if you install it on somebody's phone without them knowing about it, it is illegal."

Last year, analyst group Gartner predicted that a serious mobile phone virus is unlikely until the end of 2007 because it will take that long until there are enough mobile phones capable of carrying the infection.

Hyppönen also believes that the virus problem will get worse - before it gets better. However, he is confident it will never be as bad it is currently with PCs.

He said: "There have already been tens of thousands of mobile phones infected and mobile viruses have spread to 30 different countries. I have been infected four times - once in London and three times in Finland.

Hyppönen added: "If we play our cards right we will not have 165,000 mobile phone viruses in 2020."

Munir Kotadia writes for ZDNet Australia