A plethora of malware for mobile phones to be expected soon (?)
Introduction
In later years dangerous malicious software for mobile phones and other handheld devices has been predicted and expected by several analysts. Norman, however has traditionally been among those more reluctant in predicting that the explosion of if malicious software for mobile devices is imminent. In retrospective it seems safe to say that our view has proven correct (so far).
Our security article from May this year - Systèmes : priorité à l’exploitation ? - advocated a different point of view than our traditional one, however. We wrote:
Handheld devices have reached a level of propagation, which makes them an interesting new target for cyber criminals.
Two different events recently may indicate that the age of malware for handheld devices is approaching quickly.
Jailbreaking iPhone by visiting a web site
Jailbraking is the term used for
"(...) a process that allows iPad, iPhone and iPod Touch users to run third-party unsigned code on their devices by unlocking the operating system and allowing the user root access. "
(definition from Wikipedia)
Earlier this month a web site with the intriguing name www.jailbreakme.com appeared. This site offered to jailbreak an iPhone (and other devices from Apple) by just visiting this web site with these devices from Apple.
The way those responsible for the jailbreakme.com domain manage to jailbreak the Apple devices, is by exploiting vulnerabilities in the operating system running on these Apple's devices - iOS.
What is interesting in our context however, is that the technique can also be used for malicious purposes. Visiting the JailbreakMe web site may be seen as useful for many of its visitors, but visiting another web site might automatically install a malicious program that can do anything on the iPhone. To mention some examples - such malware might
- steal all your contact information from your device
- copy any document that you have on your device and send it to the malware author
- send lots of SMS's to telephone numbers that the malware author controls and makes money from.
As far as we know, no such malware has been reported at the moment of this writing. It seems very optimistic - even naïve - to count on this to continue.
Apple released a new version of iOS (version 4.02) 11 August. This release fixes the security issue. How to update the Apple device is described in this support article from Apple.
Very soon after Apple released the iOS update, the author of the jailbreakme exploit made the expoit program code public on the Internet. This of course makes it much easier for anyone with malicious intent to create malware using this technique.
One may expect that even now when a security update is available, there will be a long period with lots of vulnerable Apple devices. It is a known fact in the computer industry that many users do not update quickly after a patch is available. Some may also consider the advantage of having a jailbroken device as bigger than the disadvantage of using a device which is vulnerable to this issue.
A peculiar side-effect
The issue that enables the abovementioned functionality relies on a vulnerability in how iOS handles PDF files. As we know from several security advisories during the latest years, Adobe Reader and Acrobat have had several vulnerabilities related to the PDF format. However, according to Adobe, neither Adobe Reader nor Acrobat are vulnerable to this vulnerability. The alternative PDF reader for Windows, Foxit, was vulnerable and an updated version has been made available.
SMS trojan for Android-based smartphones
According to Kaspersky Lab, an SMS trojan for smartphones running the Android operating system has been identified. This trojan sends SMS messages to premium rate numbers without the phone owner's consent, numbers which presumably belong to the trojan author(s).
The trojan disguises itself as a media application, which the users are tricked to install.
Expectations for the near future
The two cases mentioned above seem to indicate that the evolution of malware for mobile, handheld devices might be reaching its next level.
At this point in time it no longer seems unlikely that malware for such devices soon will be a real threat for millions of users.