Mobile phone threats - hype or (finally) truth?
Introduction
Mobile phones have been regarded as devices vulnerable for worms, viruses and other kinds of malicious software for several years. Some antivirus applications and other protection software have been made available to protect mobile phone users from "imminent danger".
So far however, there has been no really dangerous malicious software targeting mobile phones. We have seen some proof-of-concept malware, and some malware that did not succeed in getting very much distribution, e.g. the Cabir worm in 2004. There have also been lots of media hype focusing on mobile phone malware, which turned out to be no real threat to the average mobile phone users.
The New Year 2009 started with a new, interesting threat to mobile phones, which may change this picture.
The "Curse of Silence"
At the very beginning of the New Year, Tobias Engels published information about a Denial-of-Service (DoS) attack against Nokia's mobile phones. This attack was intriguingly named the "Curse of Silence". The highlights are that by sending one (or several, depending on phone version) specially crafted SMS message to a vulnerable mobile phone, that phone would be blocked from receiving later SMS and MMS messages until the phone was factory reset.
This is a type of attack that seems to have no commercial value, and typically would be used by the disgruntled girlfriend, or script-kiddies who want to show that they "can do it".
Flash-back No 1
Does this remind the article's reader of something?
Those who have been around for a little more than the very latest years, may recognize that this seems quite similar to where malicious activity targeting PC users were - say ten years ago:
- There was malicious software in-the-wild, but the major parts by far were proof-of-concept malware created in closed environment and never released to the public.
- Lots of malicious activity were aimed at getting acknowledgement in "the group" and had no other purpose.
- The malware got quite a bit of media attention, one may argue that the attention exceeded what it deserved if one considered the real threat to the average computer user.
- No commercial interests were involved neither from those who performed the malicious activity, nor from any other groups utilizing the malware to perform other types of malicious activity (e.g. like purchasing and using stolen credit card numbers).
Flash-back No 2
The first world-wide infection targeting PC users occurred during Easter 1999 with the Melissa worm. For more information see Norman's article from 28 April 1999, which analyses why this was so special.
The rest is history - mass spreading malware became the rule rather than the exception, and after around 7-8 years, the major interests behind malware were not script-kiddies who wanted to display their skills, but organized crime almost exclusively.
An analogy to the mobile phones
One of the reasons why malicious software targeting mobile phones has not represented a major risk to the mobile phone users, is that the malicious "killer application" (like Melissa for PC users) is yet to be seen. Malware that propagates through the extremely popular Short Message Service (SMS) system may be such an application, as the vulnerable target group is sufficiently big.
If (when) such an application appears, it seems likely that we will see the same kind of growth into maturity in this market that was observed in the computer market: At some point in time criminal elements will see this as interesting and take over the market, leaving the disgruntled girl-friend there all by herself...
The commercial potential is partially already explored by experiences from the computer analogy. One may therefore assume that the evolution to crime with economic gain as the main motivation, will be faster in the mobile phone area than what we experienced in the computer field. More so since the technological speed is constantly increasing, and mobile phones are becoming increasingly sophisticated.
