Phone viruses: how bad is it?
10:00 06 March 2005
Computer vulnerabilities given unified rating system
21 February 2005
Wireless boom is hackers' heaven
22 January 2005
New hybrid cellphone-virus discovered
13 January 2005
Search New Scientist
"You are about as likely to get hit by a falling piano as you are to get a virus on your mobile phone," says Graham Cluley, a security consultant at UK antivirus firm Sophos. Unlike PCs, phones simply have too many different operating systems for viruses to exploit, he says. And there are too few people who own the "smart phones" capable of receiving and transmitting new software - like a virus - to pose a real risk.
Reading the newspapers last week, you may have got the opposite impression. On 21 February reports surfaced of the first two US phones to be infected with a virus outside a lab, sparking predictions of a bleak future in which viruses run rampant, rendering cellphones as useless as PCs hit by LoveBug, Sasser or MyDoom.
The phone virus, called Cabir, was written by a band of European hackers who call themselves the 29a group. They wrote it in June 2004 as a "proof-of-concept" virus, designed to show that phones can suffer viral attacks just like PCs. It first appeared last August in the Philippines on phones running the Symbian 60 operating system, including top-of-the-range Nokia, Siemens and Panasonic models.
The virus drains phone batteries far faster than normal by constantly seeking active Bluetooth radio connections in nearby cellphones. When it finds a phone with Bluetooth switched on, in so-called "discoverable" mode, it asks the user if they want to receive a file. If the user agrees, the virus transmits a file called caribe and asks the user if they want to install it. Enough people have now done so for the virus to spread to a further 11 countries, including the UK, Australia and the US.
"Bad stuff ahead"
Because it can only infect one phone at a time and requires the user's permission, and because battery draining is a relatively harmless effect, Cabir is not seen as a big cause for concern. The real fear is that viruses will get more sophisticated and spread more easily via longer-range internet links like Wi-Fi, which is beginning to appear as a cellphone option. "The really bad stuff is all ahead of us," says Mikko Hypponen of Finnish firm F-Secure.
The class of cellphones hit by Cabir are known as smart phones and sell for at least $500. They fall prey to viruses because they have advanced operating systems capable of executing newly inserted code. The vast majority of phones cannot update their software this way, says Hypponen.
Just 4% of all cellphones sold worldwide in 2004 were smart phones, and it is unlikely to be more than 9.3% by 2009, according to technology research firm Jupiter Research.
But even basic phones are getting smarter. Many have the ability to "sync" with a PC, allowing the phone to do things like download email. This creates another way to insert a virus, says Oliver Friedrichs of Symantec, a company based in Santa Monica, California, US, which sells antivirus software for the Symbian and Windows Mobile operating systems.
A virus that spreads through a phone's Wi-Fi connection or through an email attachment could propagate faster and more stealthily than one that spreads over short-range Bluetooth connections. Unlike Cabir it could infect a phone by exploiting its security flaws.
Steal and destory
"To date we have not seen vulnerabilities disclosed for phones but we expect to see them in future, just like we have with the desktop PC," says Friedrichs. Viruses could steal and destroy data from phones, run up bills by making calls to premium-rate numbers, record conversations in which personal data and credit card numbers are exchanged, and even get a phone camera to spy on its owner and transmit photos.
A major factor protecting cellphones is the variety of operating systems they use, unlike the Windows near-monoculture of the PC world. Only half of all smart phones run the Symbian operating system, with most of the others running either PalmSource or Windows Mobile. Linux variants have only a very small share of the smart-phone market. As most viruses are specific to a particular operating system, it is harder for them to spread in this mixed environment.
It is conceivable that virus writers will find a way round this, says Friedrichs. This could be done by building a "cross-platform" virus that could infect any operating system, or one that could exploit vulnerabilities in the small Java programs that all phones run, such as those for games and journey planners.
Countermeasures for smart-phone viruses are already available from Trend Micro, Airscanner, Symantec, F-Secure and McAfee. But Cyrus Peikari, a programmer at Airscanner of Dallas, Texas, believes that antivirus software may not be enough. He thinks "polymorphic" viruses, which continually rearrange their signature codes to evade detection, will make it onto cellphones.
The only way to detect polymorphic viruses on PCs is to look for virus-like behaviour, such as programs that continually interrupt the operating system as they scan for new files to infect. Cellphone software does not have the sophistication to detect these interrupts, says Peikari. "Your home computer's antivirus software has its tentacles in every corner of the PC. Airscanner's antivirus software cannot do that and I don't believe anybody's can," he says.