So CA is accusing F-Secure of FUD around the mobile threat. Not hugely interesting (amusing, yes, but interesting? No – glass houses.)
However, one extremely interesting data point in F-Secure’s self-defense post is that Mikko Hypponen from F-Secure has been hit by mobile phone viruses FOUR times:
Is the threat real? Yes it is. I know, because I’ve been hit four times myself. Of course I’m running our antivirus on my phone, so I haven’t actually been infected. But a Bluetooth virus has tried infecting my phone four times so far. Twice in Helsinki, once in Stockholm and once in London.
Personal anecdotes are always interesting when used as proof points. My own anecdote is that Mikko is the first person I’ve ever heard of who has been attacked by a bluetooth virus. And he’s been attacked four times.
Has anyone else out there ever been hit by one, or have a friend who was infected? Is this a European problem? (It definitely would explain my lack of first-hand knowledge.) What kind of false positive rate does the detection software have?
i seem to recall a video with mikko saying that smart phones were more popular in europe than in north america… more susceptible devices generally means the population is better able to sustain infectious malware…
also, it should be noted that the anecdote is just the proof he provides in that one particular article…
@Kurt -
Yes, I heard that, too. I wonder if that popularity is enough to correlate to Mikko to determine whether 4 attacks is typical or an extreme outlier.
I am sure there are enough folks who want to own Mikko’s ass badly enough to hit him like that …
@pete -
i don’t know enough about mobile malware to say if mikko is an outlier or not… however, in the email malware domain the encounters (not necessarily incidents per se) per person has a rather high variance… i don’t think it’s unreasonable to imagine that the same could be true of mobile malware…
there are a lot of factors that can affect it and for bluetooth malware especially geographical population density of susceptible devices is a big one – as is sociability of the phone owner (cell phone or no, if you never leave your house you’re much less likely to come into range of an infected phone)… f-secure operates in helsinki, a fairly high tech center that is also home to (one of?) nokia’s headquarters… interpret that as you will..
I’ve got no malware encounters, yet, but have been running an experiment at home logging all discoverable bluetooth devices that go by. There’s quite a lot, though its mostly the same devices, day in day out. Even without an attack, you can do some good traffic analysis, and I should be able to give a breakdown of phone vendor during the analysis.
Maybe finland has enough of a critical mass of devices that the viruses/worms can actually spread, so infecting even more of the devices. They need to be physically close to spread, so normal network epidemology won’t apply. Its more like classic medical diseases, where you need enough of a susceptible population in range…
A colleague of mine asked me to help her son get Cabir/Carib off his phone. This was in the UK, so this shows that Mikko isn’t the only one who gets them.
i’ve seen bluetooth/mms virus live and spreading at my job. But we got it disinfected.
And how did we notice it? Well, it tried to spread to my workmates phone!
Hi!
I live in Finland and my phone has been attacked over 20 times. I’m attacked once a week basically. Once my co-workers phone started to send me messages and I found that he caught Commwarrior.B. So I told him to disable BT and install mobile av solution. =)
girlfriends relative got a message he accepted, after that his co-workers begun getting obscene mms messages. i havent yet investigated the phone.
Google is also a good source for spotting what has happened. E.g very specific search, by looking for: “cabir mobile virus california” (without quotes) gets you news about things happening in USA. Naturally this is very specific search only limited to Cabir.
a friend of mine was hit by Commwarrior at the Düsseldorf airport.
We desinfected the phone using the desinfection tool provided by f-secure and disabled his bluetooth.
So, even if its not “wide spread”, or lets say, even if there are only a few infections out there (compared to PCs), its a real problem
Mountain View in-n-out, .sis file, sent to my laptop. Not sure what it was, but it contained a bunch of application names I assume it would try to pose as (“new anti-virus update”, “free ringtones”, etc)
Hi. I’m here just to tell you that I’ve offered bluetooth viruses in virtually every single country I’ve been working, and douzens of times this year only. In some cases I really need to switch bluetooth off just to be able to work with my phone. I understand the point of your blog entry, but it seems like you really didn’t understand what Mikko tried to say. Don’t be a smart ass.
I have received Comwarrior while walking around in a shopping mall here in the Philippines. In the course of less than 2 hours, I got hit twice. I was enabling my phone’s bluetooth as an experiment to see how prevalent this malware is as we have received several reports(I used to work in an AV company). This was around a year ago.
Why Mikko travels a lot with his phone’s bluetooth ON? Because he needs to collect any bluetooth connections on any cases around the world to find any viruses or something else. Typical user won’t hit by virus, because he/she don’t even know how to turn bluetooth on (it is not by default). They use cables and so on. IT’S HYPE, thanks to Mikko in their blog.
Me and my father was attacked by a BT-virus trying to send a .sis-file claiming to be from a “Beatiful woman”, only way to stop it was to turn off BT.
Jos Mikko haluaa keskustella asioista, hän perustaa oman palautekanavan (Eikö niin, Mikko. Luethan sinäkin näitä.;) En viitsi sähköpostilla vaivata, mutta kommenttia olis kiva heittää sinnekinpäin.
Go download Blooover or any Bluetooth listening software and watch the number of open Bluetooth connections out there. I picked up 74 open connections at Interop in Vegas during one session. Bluetooth and text messaging viruses are a real threat, particularly in Europe and Asia. If you think Mikko’s full of hot air, then you’re in for a bit of a surprise when you get p0wned by one of these viruses. Enjoy the Skulls virus. It’s a nice one.
As somebody who works on a mobile tech helpdesk all day long in the UK I know they are out there. Most people assume that a bluetooth file transfer from a mate is just another porn clip or a free ringtone and only after the phone crashing, battery life being cut down or everyone in the office noticing do they realise they might be infected (and most times I still have to tell them that they have been infected and that it was their fault)
Disclaimer: I work at F-Secure.
Now that the disclaimer is out of the way I should note that I did not get attacked by a mobile virus. However, while using a programme that listens to open Bluetooth phones, my phone was able to “see” more than 600 phones with Bluetooth enabled until I stopped the experiment 30 days later.
Now, I did not get infected by any BT virus, but it is easy to see how an infected phone can easily reach a very large number of phones with BT enabled.
I’ve not been hit personally, due to having a cellphone rather than a smartphone. I have however helped someone at Sussex University (in England) with removing a variant of Cabir from their phone. They must have got it from somewhere, which means at least one other person has it. Unless that other person was the original source (unlikely, this was a while after the discovery of Cabir), they must have got it from somewhere, which means at least one other person has it. You can continue this line of reasoning all the way back to the original source.
I have been attacked by Cabir once in Asia. Some of my friends were infected too. I think it’s a real threat…..
I’ve been analyzing mobile malware for a while now. Although mobile malwares cannot propagate without social engineering stuff, it can irritate the hosts mobile user making him/her accept the malware file sent (if it is within range of the infected bluetooth device) and with the help of curiousity, they might even install it in their mobile phones. After this the infection grows…..
I’ve been in a lot of places and I’ve encountered several attacks, in Europe and in Asia mostly with Commwarrior, and Cabir. Mobile malwares/viruses is a real threat!!!
You should be careful of these malwares especially those with payloads that might destroy the operating system of your mobile machine.
i always get cabir and comwar when i was still in manila. its good thing i have one antivirus for mobile installed. i still have a copy of these two malwares in my phone though, if you want i can give you a copy…
cheers
When you go to a mall or in any crowded place in Manila, Philippines with your bluetooth enabled cellphone, you will get a lot of file transfer requests. All of these file transfers have a [dot]SIS extension name. That’s why I never turned-on the bluetooth on my cellphone when i’m not using it.
Yep, has been hit 5 times myself during the last 7 months. 4 times in Asia, once in the UK.
I had my phone attaced once last summer. After that my bluetooth is off.
My classmate’s phone got infected by BT-virus last winter in local library, and my phone has also been under attack several times while traveling in a bus, but I never accepted those files to be received. (All these incidents happened here in Lahti, Finland)
I have also seen a phone that received files automatically.
Hi,
thought to tell also my experiences: 3 times a virus has tried to get to my Symbian-phone, once in Paris airport and twice in Finland.
One reason that you haven’t got any viruses is that you just haven’t noticed BT-connection trying to access your phone. (And of course you would need to enable BT
Cheers,
Teppo
Last night we were having a family get-together here in Oulu, Finland. My wife had BT on, and as we were leaving, it alarmed of incoming object – comwarrior installation file. I checked my phone, and there it was too. It originated from a Nokia 6600 owned by a teenage girl. She’d wondered why the phone had tried to send something for a long time every nhow and then… I’ve seen this happen many times, also in Paris two weeks ago. And many times before that, in local supermarket, etc…
Technical personel of VIP (Croatian GSM operator) were infected with at least 4 infections in theirs office.
Comment about bluetooth: yes, my bluetooth is always open and have received lots of funny stuff from unknown people’s mobile phones, none of them was .sis installation or virus, so I’m not planning turning bluetooth off. It’s like: it’s unsecure, let’s shut it down. Why not instead do: let’s protect it (or do not install .sis files received over bluetooth).
Friend of mine received few connections with virus inside (did not install it though) in Zagreb, Croatian capital city.
So, mobile viruses are real and are a threat, and I expect to see them rise in bigger threat as smartphones get cheaper and widely accepted.
Hi, my 0.02$ – I’ve had attacks on my phone and those of my colleagues tens of times and have been attacked by Bluetooth viruses in Helsinki, Paris, Barcelona, and even Alexandria in Egypt. Given that I live in Helsinki where smart phones are very common the Bluetooth virus attack problem is very much an emerging headache for smartphone owners.
Most of the attacks i’ve had have been from a neighbouring building on the same floor as the office I was working in. Line of sight seems to give bluetooth really incredible range (spec is 10m, have seen even 45m happening without use of any kind of amplification)
Not sure, but I think the Series60 participants (i.e. smart phone manufacturers have designed subsequent revisions of the software to kill previous forms of the virus. Problem is that the latest version (Series60 v3, found in e.g. recent N-series phones) is going overboard by requiring that some software be checked & validated by human eyes somewhere in India before it is allowed to be installed on phones. E.g. Salling Clicker.
My phone has never been infected by mobile malware but I’ve seen it happen many times for other people. I’ve received several “Do you want to receive and install this and that?” notifications during the past 2 years, a couple of times in Finland but mostly in Asia.
A bluetooth virus tried to enter my phone at the Milan airport last November. It was quite persistent. I also have a friend (he has nothing to do with F-Secure) who has been hit at least FIVE times: twice in Singapore, once in the middle east, once in Cannes, and once in Helsinki. So Mikko’s four times is no extreme exception.
Letting oneself remain in denial-mode about mobile threats seems to me like a very emotional way to address the issue. As this discussion started with the allegations made by CA, just consider one fact: who has more real information about the threat: a mobile operator (like Orange), or a bitter security vendor lacking mobile security (like CA)?
I have seen quite a few Nokia mobile phones that have been hit by Cabir virus. I know a case where a most of the mobile phones in a meeting room got infected (they had BT up and running and there were no anti-virus protection).
Personally my Nokia Communicator has not got “hit”, but then again I don’t really use BT that much at the moment.
My first time was in a bowling alley in Helsinki last April. The virus tried to infect my phone over BT. If I remember correctly, it was Commwarrior.
–Ilkka
I havent seen any virusses for mobile phones in the wild so far in France, Belgium, Italy and Germany. also I did wonder about the big hype from fsecure regarding the world cup 2006. I was at 5 games and let my bug infected phone open for everyone to verify if something was happening but not at a simple spot. The interesting fact is that I was able to attack lots of phones at exhibitions like cebit, systems and so on but never saw a virus spreading there at all. sometime we try to attack phones used in cars who are waiting at the traffic lights with also partial success, like sms snarfing etc.
but the whole thing from my point of view so far is just a media hype as nothing really is happening in the it market which had such attention like av- or hackingstories told …
also I never heard mobile operators complaining about future possibilities or threats in a way fsecure preaches them right now, I used to work for t-mobile in networking and we did wonder when someone told of what might happen, actually we just laughed, knowing that the cells couldnt take the load, same for too many connections like while world cup 2006 this isnt really new that connections made will have an impact on the network but a scenario where everything could be overladed, sorry cant believe the hype. how many operation systems are out there? how many really affected by certain bugs that can be used, how many new ones coming out every day. i guess this is nearly impossible to strike against at least 2-3% of the total and this will then truely not affect all phones, operators etc.
remeber when xpsp2 came out, everyone said the big blasts against windows operating systems will be terminated by it sooner or later, did anything big happen since? no? wont the industry just catch up like MS did? like offer firewalls for mobile phones, pda or similar devices when connections are at reasonable prices, heavily used and then maybe of interest to be targeted by hackers? why not, but wont it be a operating system feature like in linux, windows, mac os? i guess so, but what about the hype then? maybe it will be “infecting streaming devices for video on demand” or “got the flu? or maybe just like these days “the new xxxx hardware from vendor xxxx” but we will see …. but getting back to the point, aint smartphones just those fancy machines with extreme fancy features that for some reason people rarely really use but are cool to at least own it???
When I was in army last February my “roommate’s” phone tried to infect my phone many times, which started to be very annoying at the end.
http://www.f-secure.com/weblog/archives/archive-082006.html#00000935
New variant of CommWarrior.
From Petteri’s post:
“but getting back to the point, aint smartphones just those fancy machines with extreme fancy features that for some reason people rarely really use but are cool to at least own it?”
Umm, no. It’s basically a device with the processing power of a PII computer that runs a Windows or Linux OS. Those “features” include e-mail, web access (yes, with an IP address), document/presentation editing, file storage (SDRAM cards), and features useful to the mobile user.
You’ve never heard mobile providers complaining probably because you aren’t looking at this issue from a business operations perspective. Every tech support call costs money. Mobile viruses wreck phones, trasnmit SMS messages, and take up bandwidth, which the mobile provider ends up reimbursing to the customer. That being said, mobile providers are VERY interested in stopping mobile viruses.
from Mark Johnson his comment:
“Umm, no. It’s basically a device with the processing power of a PII computer that runs a Windows or Linux OS. Those “features” include e-mail, web access (yes, with an IP address), document/presentation editing, file storage (SDRAM cards), and features useful to the mobile user.”
I do know this, but who uses that really? aint it more less phones like blackbeeries and such which are commonly used? I am not talking about Windows Mobile or Symbian based phones for which such “security solutions” exist .. the majority uses “smart” phones more less as a fancy tool, like playing solitair, listen to mp3s or you name it …
“You’ve never heard mobile providers complaining probably because you aren’t looking at this issue from a business operations perspective. Every tech support call costs money. Mobile viruses wreck phones, trasnmit SMS messages, and take up bandwidth, which the mobile provider ends up reimbursing to the customer. That being said, mobile providers are VERY interested in stopping mobile viruses.”
well you might know that my previous employer is Germany’s largest mobile operator, maybe Europe’s even and in that case as I already wrote, the infrastructure in place wont be able to cover the demand of a total overload if like 30% of devices would be able to get infected anyway, so the threat is more less theoretically that’s what I meant. And especially with most business phones in the market which are not able to get infected at all where is the big threat that an operator should fear. How many mobile phones are out there currently that may be affected from symbian and windows mobile based phones? lets guess 1.5% world-wide? you really put that to be a big threat in comparrison to 80% of pc devices before xpsp2??
come on lets face it, its a media hype, the operator would only offer phone not vulnerable to such threats and push back the issue to the vendor, like it happened to MS “deliver or you are out of business” … t-mobile or nokia directly once put fsecure to some nokia pones cant remember what series BUT the download it generated was way too expensive on current rates for grps back then, good deal for the operator but bad for acceptance is it? especially whe never something happened.
regarding the new “threat” discovered by fsecure, aint it time again to push the hype?? didnt you follow the comments so far how many scandic names and employees from fsecure commented on sights??
Mark
Here in Finland, I have so far seen atleast 3 or 4 infected phones in person and my mobile phone has been targeted by mobile viruses atleast 8 times. Most of these attacks happened while I was driving in Helsinki, but some have happened while I’ve been sitting in restaurants/cafés. During some of my very few trips abroad, I’ve been targeted by mobile viruses in Milano, Italy at a street café and in Los Angeles, USA at a shopping mall. Sofar, I haven’t received any viruses by MMS, but I’m sure that’ll change at some point.
My guess is that in the near future, we will see alot more viruses spreading by bluetooth, unless some security measures are taken by phone manufacturers as well as security companies and service providers. Ofcourse, widespread virus outbreaks will happen only in dense high tech environments (like Helsinki as you have pointed out earlier) with enough bluetooth enabled devices to spread.
Crossplatform BT viruses would probably achieve “critical mass” sooner than viruses that spread under Symbian only. I’m not sure if that is possible or otherwise not practical, but I’m sure those responsible of the viruses will find out that aswell.
Even educated and security aware people can get infected quite easily, because receiving BT messages (which have the infected .SIS file included) overrides your keypad lock. If you carry around your mobile phone in your pocket, you might very easily press “Accept” without even knowing it. This is something the manufacturers should change! I don’t – and most of the phone owners don’t – have anti-virus installed on my device, so it’s only a matter of time before this happens to me (yes, I carry my phone in my pocket).
Here’s something for you to consider, Mark and Peterri.
If it has an IP address and has access to the Internet, then it can perform other functions, such as Telnet, ping, FTP, etc. Regardless of what the end user does with the phone, it is the capabilities of the device that pose the threat. Look at how most people use their computers compared to the system’s full capabilities. Smartphone technology is bundled in practically every phone on the market, even Blackberry devices. I’ve seen SSH sessions run through Blackberry, so that device can be hacked as well. If it has an IP address, then it can access other systems on the Internet, which makes mobile phones a nice target for hackers. Also bear in mind that viruses are no longer simply written to get name recognition for the writer. There are criminal elements that are writing viruses for targeted attacks, fraud, and espionage. Most viruses out there are stealing passwords, account information, keylogging, and acting as zombies for botnets. What makes you think that a mobile device with an active IP addrss can’t be used for the same purpose?
If you believe the mobile providers aren’t watching the mobile virus threat closely, then you’d be sadly mistaken. Here’s another tidbit, seeing how you’ve worked for Germany’s largest mobile provider. How long would it take a mobile provider to implement a solution to stop mobile viruses? The answer is about 12-24 months. Two years of lost revenue handling all of the reimbursements and support calls. FYI, Mobile providers won’t place the blame on the mobile phone manufacturer because the mobile provider creates the phone OS image, not the manufacturer.
ok Mark, got your point, indeed to implement such a solution might take some time, but again face reality. I read your post and did some quick research, check t-mobiles website, fsecure and symantec aswell as other vendors like trendmicro offer a solution for currently 6 out of 43 offered phones and by the way your mentioned blackberry is not even included. so this is like 14% of the currently available devices through their store. its only Symbian 6.1,7,8,9.1 and windows mobile devices. if I counted correctly fsecure supports like 50 devices out of how many available ones (remeber 6 of 43 at t-mobile)? For most bluetooth vulnerable devices based on symbian secured firmware does exist and nokia fixes that for 20eur or within warranty for free. this is less than any of the sulotions cost at start or even free. sure people might not do that, but when something happens dont you think they might? symbian doesnt allow installation of anything without acceptance of the user neither does windows mobile. and regarding your scenario of stopping mobile viruses what about proxy based solutions the devices are using NAT anyway what about VLAN technologies VLAN-to-proxy-internet_aaccept_any_in_out, VLAN-VLAN_deny. so you end up with bluetooth or wireless lan connections again which end up to a local firewall out_accept_any in_accept_any_if_allowed_or_established_or_related. emails scanned on the smtp servers. where is the threat? all this technology is nearly in place but not configured properly as always but if I dont get the point. neither I believe there is a need for it. and yes some operators do build images for the phones but havent you heard that most customers use some sort of service that will bring the original firmware to the phone or by it off the shelf so its the original software and not modified by any operator?
i cant believe so many believe the hype for me it is just another one saying “i have a dream” and now a business model
sorry dont want to take it off topic but having your phone in your pocket and using a bluetooth headset protects you from bluetooth hacks as the phone will only accept one device being connected… and I havent found any deauthentication bugs yet …
Also be aware that these viruses spread through SMS as well so bluetooth is not the only channel for getting a mobile virus.
This isn’t hype. This is real. Better to address the issue in advance before it blows up and runs rampant.
I have been hit couple of times by Commwarrior.B. First time was on the bus and it was impossible to know whether it came inside the the bus or from some car around. That happened in Helsinki, Finland.
Second time was in Island of Crete (Greece)in a hotel: bartender was sending Commwarrior.B around the bar. Guy had named his phone jorgos in greek letters so it was quit easy to find. Cleaning his phone wasn’t that easy (no cable, no computer, nothing) but I made it anyway. Last days of my vacation drinks were free in that bar
And yes, I use av for mobile phones.
This discussion reinforces my view that the way to go with all embedded devices is a trusted,real-time embedded Linux system that is deny-by-default. They will just not be susceptible to worms and virii that way.
I just wanted to pop in to say that I’ve seen two mobile viruses so far – Both of them tried to infect me in pizzerias! So at least in Finland where smartphones are common and smartpeople are scarse the threat is real.
Hi, I’m in Italy and I have received mobile viruses on my mobile phone through bluetooth several times (I would say 4 distinct times, at least). It happened to a friend of mines too, once, in my presence.
What happens is that while you are in a busy place (a restaurant, or a shopping mall), you receive a message saying that an unknown user is trying to send you a file, whose name looks like random character (“kgrtfatsd.sis” or something). If you press “no” and holds for a while without moving around, you often receive another similar message within a couple of minutes. If you hit “yes”, the file is transferred, and then my Nokia phone asks for permission to execute it, at which point I always hit “no”.
I specifically remember that one of the times it happened to me I was in a restaurant, and I eventually had to turn off bluetooth in my mobile phone because it was getting annoyed pretty quick (my phone was being bombed with new virus messages, coming from the same device, every 2 minutes). In at least one occasion, I have tried to send a text message through bluetooth to the infected phone warning about the virus infection, but I did not receive any answer.
Pete, All,
I have no reason to suspect Mikko’s testimony. I personally haven’t received any bluetooth worms in my phone (as I have BT disabled most of the time). Instead, I have had the “pleasure” of cleaning other people’s mobile terminals after they have been hit by a worm in Helsinki, Finland. At least one of the cases involved BT, some were caught via MMS.
The pleasure-part had actually mostly to do with me getting a convenient excuse to pay a visit to F-Secure’s mobile virus lab to verify the infections..
CERT-FI also received reports of infections via BT during the world championship games in Helsinki last summer. Still, I suspect the heavy rain that plagued the games caused damage to more handsets than any malware could’ve at the time.