The Most Important Aspects of Arising Mobile Virus Building.

Lately we have been witnessing various facts of evolution of malicious software for mobile devices. This fact itself is not strange: the more complex the device is the harder it is to provide its safety and stipulate defensive functions. Another thing is strange: why there is still not found a set of reliable methods of reluctance, why antivirus industry with its multimillion turns every time turns out to be not ready to new attacks and acts on the fact, and why the producers of devices are not so willing to correct their misses. Viruses for mobile phones multiply and for the given moment this war cannot be won, moreover it is almost lost.

We should not underrate the gravity of threat of mobile viruses evolution. A majority of experts suppose that the history of evolution of viruses for PC and the present progress level show that the situation can be much worse. Mobile devices have become an essential part of everyday life: smartphones, PDA, built in the household technician microcomputers, implants built in the body: They are everywhere, they control climate in the house, they control frequency of heartbeat, they manage smartphones - the space around is full of waves sending information. Appearance of a full-fledged virus in such environment can lead to undesirable and pitiful consequences. Virus can subordinate itself devices and force them work for its author, it can connect devices in a network and get full power on the man and world which he's got used to. This is a wholly motivated theoretical possibility for the present day, although it has evident difficulties in its practical realization.

Among mobile devices the situation with smartphones is the worst. The most wide-spread nowadays and sad known is Nokia platform Series 60, an add-in for Symbian OS which realizes mainly interface functions connected with specifics of concrete class of devices. Exactly this platform became a first real victim of virus and malware developers. For the last year the number of malicious software for this platform has grown far behind 50, while for the alternative platform Windows Mobile this number forms 2 for the whole period of its existence. This fact is warning enough. The example of Symbian OS can show the main trends of evolution of this problem and initial omission, which lead to the present situation.

Symbian OS was designed especially for mobile devices and contains effective realization of a full set of necessary functions. The work on its development began in 1998 in Symbian Ltd, organized by the largest producers of mobile devices: Ericsson, Nokia, Motorola and Psion. Symbian OS has an almost perfect concept and graceful internal construction which fully distinguishes from what Microsoft offers today in its operational system for mobile devices.

Unfortunately realization of Symbian OS leaves much to be desired, the code of the kernel has not easy detectable mistakes and contains 'strange things', which can be reproduced only under certain circumstances; API written in C++ classes is partly unclear; programming style, seriously cultivated by Symbian, reminds of a hybrid of prehistoric script languages and worst possibilities of C++.

It is notable that the forum of developers for Series 60, which is available on Nokia site, is full of questions like "How can I let the dialogue work?", "Why does the menu not work?" etc. And the problem here lies not in the add-in for Series 60, but has to do with Symbian OS itself. These are elementary things, which should work in any OS, always and everywhere and even theoretically should not cause any difficulties. Why then so many people try to find a solution for the problem which should not even emerge? The answer is simple: all this does not work the way it is described in the specification and works only partly.

All these circumstances make the process of writing qualitative programs for Symbian OS a hard deal adequate only for high-level programmers. At the same time this process is a most exciting adventure with a hardly predictable play-off. Debugging a program under Symbian OS can be compared qua work volume with the writing process. One can endlessly search for a mistake because of which the OS suddenly closed the program after it had been working for several hours, showing in a small window a rather informative alert "Application closed".

The described above circumstances make program development for Symbian OS much harder which certainly reflects on its price for end user. A minimum set of programs necessary as addition for standard smartphone software for an advanced user costs $200-300, which is practically equal to the price of the smartphone itself. This fact provides a good ground for illegal software which is long ago spread in the network thanks to numerous sites, mainly of hacker directivity. Among cracked copies there are often distributives, which contain viruses and/or Trojan programs. As well as distributives, they pass themselves as new versions of well-known or expected products, while in reality these are Trojans which defect normal functioning of the smartphone.

As a struggle facility with harmful programs and piracy Symbian offers its own program Symbian Signed, which is meant to provide legal products with a digital signature of Symbian. From the first hand it seems to be a panacea from all troubles as they persist that new OS versions will not allow setting up unsigned software or it will be installed with limited functions, such as denied access to using SMS, GPRS etc. (version 9.0). If we look deeper into the problem it turns out that in practice it is right on the contrary: Symbian Signed program conceals absolutely different essence, which makes the life of smartphone owner much harder and his costs more significant.

In order to get the digital signature of Symbian developer should buy for a decent amount (ca 300 euro p/year) a certificate, which will identify him as a person, and send his signed application to a firm-tester with which there was concluded a special agreement. Such a testing means checking certain conditions which, necessary to notice, are not always motivated and which can run or not under Symbian OS with variable success while this OS itself is far from being perfect. One testing costs at the average from 200 to 500 euro, while if the result is negative testing can be repeated numerous times. If you were lucky and testing reached positive result Symbian puts its signature on the application and this means the end of the version release. Testing process contains several middle steps, which are not described in the present article. When the version is released and there should be brought a new change in the application the whole testing process has to be repeated again from the very beginning.

Obviously the described above program will lead to an evident consequence: only big companies will be able to stay on the software market which can afford scattering thousands of euros for a doubtful pleasure of having Symbian signature on every version of every product. Independent developers and small companies will have to leave this market. Price for signed programs will certainly grow further, although it is already too high for users. And hackers will as always find a way to switch off unnecessary OS functions or fake the certificate (some researches show that this is possible already today) and as before distribute via network cracked copies of software.

We live in a real world where certain laws rule stipulated by human nature, which cannot be cancelled by presence or absence of someone's digital signature. If Symbian OS cannot be an environment safe enough for functioning and coexistence of different products and needs programs like Symbian Signed, then it will be logical to expect from Symbian corporation to undertake all costs necessary for the program realization. But this does not happen: developers and, eventually, common users carry the burden of expenses.

Symbian Signed program is not capable of influencing anything in the scope of smartphones safety, in reality it is a convenient facility for quick earning and taking out money from software developers. As well a facility which lets in a short period of time to clean the market from small producers especially from the ones who develop freeware and pass it to big companies. Users do not get benefit from it because of high prices of the programs and evident reduce of assortment, neither do developers as they make their living on it. So, as soon as they find a way to switch off obtruding OS functions, it will be done immediately by the majority of smartphone owners, who are already tired from ungrounded high prices and decided to risk the safety of their smartphones rather than their purses and convenience of usage. And this way will be certainly added into devices as programmers have to debug somehow their programs on smartphones.

Coming back to Trojan programs and viruses, which should, as they say, be protected by Symbian Signed, we should note that in this branch one can observe unhealthy agiotage. Among malicious software for smartphones Series 60, existing for the moment when this article is being written, dominate not viruses but Trojan programs. For now these are mostly sets of corrupted files packed in distributives, which after having been installed on the smartphone "shade" necessary OS files bringing the smartphone in broken condition. Such distributives often contain some famous viruses to frighten more. Installation of such a distributive on the smartphone does not have to lead directly to some visible changes, but can make normal functioning of the smartphone impossible or block the start of OS when switching on the smartphone next time. Obviously all these odd jobs are made by amateurs, people far from programming and moral principles. These are mostly not programs but sets of purposely corrupted program files which do not contain specially written code which could call some actions.

The first known Trojan for Series 60 was Mosquitos. It was a cracked and modified version of a game worked correctly, but at the same time it sent out SMS messages invisibly for the user. Classical representative of Trojan programs for Symbian OS is Skulls. One day there appeared a strange distributive on one of hacker sites which initiated during installation an unusual action: main menu icons turned into skulls with titles "Skulls" and most programs stopped working including App.Manager which allows deinstallation of the malware. Working principle of Skulls is simple: distributive contains files with setup directories like most standard programs but on disk C:. The programs themselves are placed on disk Z: which is read only, but placing files on previous disks according to alphabet hides the real files from the system when they run. Such an interesting effect - skulls icons - has to do with the fact that not only executable files become hidden but also files with ".aif" extension which contain graphic images for the main menu.

Skulls also contains files which replace or hide many well-known additional programs: file managers etc. This allows Skulls to exclude a possibility to repair the smartphone by deleting manually copied files via file managers. This method does not work if there was installed a file manager on the smartphone which is not known for Skulls and thus not corrupted by Trojan installation. That is why the following variants extended the list of programs. For the present day there are known many variants of Skulls, which have the same idea spiced with skulls images.

There are such Trojan programs as Fontal, which damage smartphone functioning so seriously that OS cannot restart. It has to do with corrupted copies of fonts, which hide the real fonts installed in the system. The fonts initialize during the process of booting and their corrupted copies do not let the smartphone function. This bug of Symbian OS connected with fonts is not the only one. There is another Trojan, Doomboot, which acts achieving the same result but in another way: it installs corrupted .dll files into the disk root C: after which the smartphone can rescue only formatting or, for some models, only reflashing in the service center.

Trojan programs for smartphones do not have significant functions connected with usage of communications. Although they often contain some well-known virus, which after it started begins multiplying itself. There is known only Onehop which sends another Trojan, similar to Skulls, via Bluetooth which does not have multiplication function. A program which sends its fully functional copy is not Trojan but virus, proper to say a worm. Probably usage of communication technologies will become a tendency of Trojan programs evolution in the nearest future.

Other and most important group of malicious software is represented by viruses, most of which are called in this case worms which is also true as their multiplication principle is penetration in other telephones by means of modern communication technologies. Making a virus for Symbian OS is not a trivial task which demands serious knowledge and skills, firmness of purpose and a lot of time as well. Moreover all this is needed much more for that than for developing application programs. As we know best programmers do not occupy prestigious posts of leading companies, but work in underground ambience, these are mainly hackers whose goal is not material goods, they get pleasure from research and development process.

For the present day there are two main and full-functional viruses for Series 60, these are Cabir and CommWarrior, excluding evident plagiarism and lots of small modifications.

Cabir was created on June 12 2004 (here and hereinafter the date of compilation) by a hacker from group 29a, who's nick was vallez, as a conceptual virus for smartphones, in this case demonstrating possibility of creating a virus for Series 60. Its sources became almost directly available in the network, which caused a great number of new versions with small modifications. The virus uses a principally new technology of multiplication via Bluetooth. For this purpose there was realized a quite simple algorithm which goal was to find addresses located near devices and to take multiple attempts to send its copy to them. Virus does not contain destructive functions and has limited possibilities of multiplication. Presently there are several variants of this virus, which were made by skilled craftsmen on the basis of sources some of which were completely overwritten but still generally identical to the original.

The process of installation of Cabir copy on a smartphone consists of several steps and contains multiple OS alerts about unsafe content. During the multiplication process the virus does not use survival capability; the only thing which it makes against usual API limitations is sending its distributive via Bluetooth. This was forbidden in the elementary API starting from version OS 7.0 that's why the virus works with Bluetooth on a rather low level.

CommWarrior was made on January 16 2005 by a Russian hacker with a nick e10d0r and is nowadays the most dangerous virus for smartphones. It uses rather complicated algorithms; it's not a conceptual but a professional virus created in order to evoke epidemic. The virus does not contain destructive functions, for multiplication it uses Bluetooth in a mode near to multiple-stream, and can infect all devices around practically at the same time. Moreover it uses a principally new method of multiplication: sending multimedia messages (MMS) with its copies to every registry from address book. The latter circumstance made experts admit that CommWarrior signifies a new epoch of mobile virus building. For the present moment there are two variants of the virus which has mere differences in algorithms of working.

Process of installation of a CommWarrior copy is similar to the same process for Cabir, although the names of the sent files are not the same, they are generated randomly. The virus can be also sent to the phone in the form of a message. However unlike Cabir this virus tries to infect all devices around and can send itself correctly to them. That is why the alert that a file is received appears practically at the same time on all available devices including notebooks, PDA and other equipment. Thus CommWarrior distributive can be received on any device via Bluetooth, but will work only under Symbian OS and add-in Series 60.

Multiplication of CommWarrior via MMS and installation of a received distributive look like a similar process via Bluetooth. MMS message contains in attachment a distributive with a name commw.sis and an attractive description which was composed using methods of social engineering. The goal of the text is to make user open the attachment and install the virus. One of the two known versions of CommWarrior hides its presence in the system thoroughly, sends MMS messages to address book only in the night when there is almost no possibility that user notices it.

The technologies of multiplication of both viruses are quite original for the branch. In Cabir there was used for the first time Bluetooth technology for sending virus distributive to another phone located nearby. The maximal distance for telephones is 10-15 m and this is enough to get the virus on your telephone while standing for instance a couple of minutes in a traffic jam. In CommWarrior apart from Bluetooth there was used a technology of sending distributive in an MMS message. This possibility is much more dangerous, as MMS messages have no restrictions, such a message can be sent to any country to any addressee.

In both cases in order to let the virus infect the telephone the user should receive the message with a virus copy, start installation process and confirm that he wants to install an unknown application. As shown by researches there exists a sort of paradox of human psyche which shows that MMS messages received from a familiar sender with a familiar telephone number are taken with a high degree of belief. Attachments in such messages are often installed.

Both viruses do not have specific functions, their goal is to multiply themselves. Although it is not a big deal to add more directed functions. It is for instance not difficult to read the data file of the purse in Series 60 where all credit card numbers, logins and passwords are stored and send it in a form of MMS message to some number or email address or upload it onto a server in the network. Such an easy cracking of password protection of data file of the purse by means of a simple matching is possible because of a rather weak security level. This means that almost any confidential information saved on the smartphone can be taken and sent to a trespasser.

Existing viruses can be found only by indirect evidence, they work in background mode and do not interfere in the work of the smartphone. CommWarrior is not even visible in the list of running applications and reveals itself in the list of processes as a part of OS. Trojan programs are revealed on the contrary much faster as an evident error in smartphone functioning. When the presence of malware is still discovered the memory of the smartphone has to be formatted in most cases as it is not clear what can be another solution unless you research the code yourself. Moreover it is likely that the smartphone does not work any more and/or does not start. User can format telephone memory himself using a special combination of keys, which exists not for all models, or in the service center. In both cases all contacts, data from the calendar and in most cases all messages and installed programs are lost. On some models it is also possible that even formatting does not help.

Possibility of waiting for an antivirus is evidently out of the question due to a significant amount of time which antivirus companies need to react and unreliability of their products for smartphones. Moreover it won't be possible any more to install antivirus as the smartphone doesn't work at all or the most important functions are blocked such as possibility to install and deinstall programs.

There exists a real possibility of creating a virus, which can be almost incurable. This possibility is real for OS starting from version 6.1, which is installed now on comparatively old models of smartphones, i.e. Nokia 3650, Nokia 7650. Incurable virus should be able to restore itself and such a possibility does exist. Because of omissions of ideological nature in OS there is a way for the virus to survive after formatting of the telephone memory, which is often used in service center as a measure against all malicious software.

In a certain sense this possibility means ruin of existing antivirus industry for smartphones. A possibility of creating a program which cannot be unloaded or deleted from the memory was tested on a Nokia 3650 model, on which the given program successfully outlived full formatting of the smartphone memory and remained fully functional. Ability to survive after formatting does not have to remain in the following versions of OS but this does not matter so much, another thing is already enough: such a program can't be deleted in any known way.

There were executed similar tests among the majority of well-known antiviruses. In total there were tested four titles of well-known antiviruses for smartphones. The results cannot be called encouraging. All tested antiviruses can be forcedly unloaded from the memory; their executable files can be deleted or modified. And none of them can outlive formatting of the telephone memory.

How strange it may seem Symbian Signed itself prevents the telephone from self-preservation by a number of requirements which explicitly rejects such behavior of a program. At the same time some antivirus companies are proud of the fact that their product meets all the requirements of Symbian Signed and has a corresponding signature. In practice such declarations are equal to acknowledgment of inability of the product to ensure safety of the smartphone and protection from viruses. When we are talking about real safety and protection of the smartphone from a quite concrete threat, conversations about correspondence to some program or presence of digital signatures become inappropriate. Besides, producers of antiviruses should not strictly follow the dogmas and apply only documented possibilities of the system, showing overscrupulousness, in this case inappropriate. If there is discovered a new method in the branch, which can be used by a virus, it should not be rejected in the antivirus if it can provide secure protection. Only such an approach ensures comparatively equal possibilities in opposition.

The main mistake of big companies when developing antiviruses for mobile devices, which specialize also in creation of antiviruses and other systems providing protection for PC, is probably usage of the principle of similarity. Mobile antivirus is made as a minimized copy of the product for PC using the same principles and algorithms. But mobile viruses have serious differences and their own specifics, which is not taken into account as well as the core difference between platforms. This mistake can bring to real epidemics of smartphones in the nearest future. Every time antivirus industry turns out to be unable to withstand new threat, acts only when the event has taken place and after having got a copy of a virus or Trojan program it releases an antidote.

Progress does not stand still, not only hardware is being developed but also methodology of information systems building. And it is impossible to acknowledge one thing and not acknowledge another, such an ideology is originally losing and will lead to development of antivirus products with a quite low quality, which in fact won't be able to provide secure protection. For the present moment there are developed and tested many algorithms which allow creating elements of AI in the behavior strategy of application programs. However in the field of mobile antivirus development this experience turned out to be unclaimed. Methodology of protection facilities building today is near the level which was achieved ten years ago in the first antiviruses for operational system MS-DOS!

As the tempo of mobile viruses evolution is so impetuous, in order to win or at least not to lose this war antivirus should already now be able to:

1. Survive in any conditions, contain secure realization of functions for automatic reanimation of itself and the affected system. Be able to track modification of its code and the code of functionally important elements of the system. There are already Trojan programs which destroy antiviruses installed in the system.

2. Analyze any changes which take place in the system real-time, have a set of secure criteria for tracking dangerous situations. Stop being primitive utility, use modern heuristic algorithms for system analysis: neutron networks, algorithms of self-organization etc. Have an ability to detect not only well-known viruses but also unknown programs which most likely can turn out to be viruses. Contain elements of artificial intelligence.

3. Borrow part of virus attributes: its viability and capability of reproduction in the forms which preserve functionality. Namely antiviruses should contain self-multiplying modules which can act not only when the telephone has been infected with a certain virus but also before that, acting anticipatory. Antivirus should be distributed between telephones and destroy found viruses.

4. Avoid requests to user whether the virus should be cured. If a virus is detected it should be deleted immediately, if that is not a virus there is nothing to be asked about. Antiviruses should raise validity of their judgments: overwhelming majority of users are not able to distinguish a virus from a non-virus and their incompetent judgment should not be regarded as paramount in provision of security.

5. Automatically receive freshest information about virus activity via Internet when connected. Update virus databases and synchronize self-training databases, avoiding any requests to the user. User cannot know what, when exactly and in which dimension should be updated, user's judgments is in most cases inconsistent and subjective.

6. As much as possible exclude interface part as this part is the most vulnerable in any operational system. In the case of Symbian OS it is almost impossible to provide its secure protection.

7. Become conventionally free, as registration information is a serious vulnerability of any antivirus: if it's corrupted antivirus becomes an illegal copy and partly or completely loses its initial functionality.

8. Prevent presence of other antiviruses of a similar class in the system as they should be considered in general as a threat to its security in particular. Antiviruses are system programs of a low level with properties close to the core of OS, and they can use rather complicated methods of protection of themselves and vulnerable elements of the system. These methods are rather dangerous and if two antiviruses enter the state of mutual counteraction the device won't probably work any more.

It is quite clear that antivirus needs, among other things, much more independence than existing examples possess now. This is of course a matter of trust. But shouldn't one trust the company that produced antivirus which he/she installs it on his/her smartphone? User trusts it and hopes for reliable protection and thus he/she should go on a little bit further: trust the process of protection by not interrupting antivirus by inappropriate and sometimes incompetent actions. If user trusts the producer and the product, the product itself cannot trust the user, about whom it does not have any information. It should take independent decision, without doubtful instructions from the outside.

Antivirus which is developed untraditionally, taking into consideration specifics of mobile devices, potentially prepared for appearance of new viruses and not relying in its work on prompts of the user, which removes a threat not when it has occurred on this particular telephone but on all telephones which it can reach, - such an antivirus is potentially viable and challenging. Building of antiviruses for mobile devices using traditional methods is losing a priori. In the course of the last year there was observed several times a case in which the majority of existing mobile antiviruses turned out to be not capable of not only rendering harmless a new modification of malware, which has mere differences with the previous version, but also protect itself. One version of a Trojan program called Drever can for instance put out of operation many antiviruses by simply copying its own files above them. Such a state of things cannot seem normal.

There comes up a question, of course, how the new antivirus created on the basis of the described principle will distinguish itself from a virus? The answer is quite simple: from a technical point of view - practically by nothing. From an ideological point of view, main actions of such antivirus will be aimed at struggle with malicious software and at protection insurance of the user and his/her information. There is a difference and it's sufficient. It is similar to the situation with the operational systems: many of them can be easily regarded by definition as viruses, but in reality are most likely not. And vice versa, many operational systems are viruses but of another ideological directivity.

From the point of view of practical realization of the described conclusions it is clear that there are some complicated things of not only technical but also legal nature. At the same time there already exists a real opportunity to provide secure protection of smartphones, namely platform Series 60, from existing and many not yet developed malware.

The authors stated in this article their views of the problem of mobile viruses building evolution, based on personal theoretical and practical experience of work in antivirus and adjacent branches, and hope that the reached conclusions will be at least heard. They are not a panacea from all disasters but they can sufficiently improve the arisen situation and change the overbalance of forces in the struggle with mobile viruses.

Dmitry Gutz, Ekaterina Sheldyaeva

E-mail: mavgroup[at]gmail.com