The Virus Story: a reader writes...
Published by Steve Litchfield at 11:29 UTC, February 5th 2008
So AAS forum member 'kflyer' emailed me a few days ago, "wondering whether viruses can really affect a current smartphone. I've read your view on this question, but AAS itself has adverts for AntiVirus clients!" As it's a long, long time since my last rail against the fraudulent anti-virus industry, I thought it high time for an update. Read on.
This was all started by some of the 'concept' viruses written for S60 2nd Edition phones such as the Nokia 6630 and N70. These had to be manually accepted, with several confirmations, on each and every phone that could be infected, but in some warez and youth cirlces a few very minor outbreaks were recorded. I wrote a well linked-to piece (now revised and stripped down to reflect current thinking, by the way) on the subject at the time, but the summary was that with so many user steps to infection and with no 'silent' infection, a la Windows, there was simply no way a mass infection could ever happen.
And I was right. Storm in a teacup, etc. But it made the anti-virus software companies a few dollars, selling prevention software to users who were worried. The ironic thing is that they very users who were worried were the very users who'd be a lot more paranoid about accepting unsolicited beamed in applications and would therefore be the least likely to 'catch' anything....
Fast forward to 2008. Symbian OS 9, implemented behind S60 3rd Edition and UIQ 3, has now been in place in real world handsets in their many tens of millions, for at least 2 years. And there's not one, repeat not even one virus for either platform. Symbian OS 9 brought in Platform Security, meaning that any functions that could be used to spread malware or damage the device were restricted to Symbian Signed (i.e. checked) applications. A system that's caused headaches for some developers trying to use low level functions for legitimate purposes but one that's also kept malware utterly at bay.
And yet, as kflyer noticed, there are high profile adverts across the mobile world for F-Secure's 'Mobile Anti-Virus' and 'Mobile Security' products. And F-Secure Mobile Anti-Virus also appears in Nokia's own Download! application on all devices, implying a healthy degree of endorsement. Even a few days ago, F-Secure launched their official anti-virus solution for UIQ 3, in 'partnership' with Sony Ericsson. Eh?
There's an old saying that 'there's no smoke without fire'. Except in this case, the smoke is being pumped upwards from an artificial smoke machine behind some rocks by the anti-virus vendors. Folks, there's no fire.
The antivirus software industry...
You may remember my original piece on AAS, pouring scorn on the outrageous claims being made in 2005 by the mobile antivirus software developers? Let's examine the same scene today.
FB-4 Inc seem to have faded away. Ditto Jamanda. Ditto Fonoinfo, who seem stuck in 2005. SimWorks are still plugging away, advertising that they protect users of (wait for it) the Sony Ericsson P800/P900 and Nokia 6600. Wow. Quote: "With more and more smart phones shipped every year your phone is becoming a lot more attractive to virus writers". Err.... No..... More and more smartphones ARE shipped every year, but they're virtually ALL immune to ANY virus risk (which, if you remember from above was tiny in the first place).
On with the roll call from the original article. TSG Pacific have also faded into obscurity. Are you noticing a pattern here? exoSyphen Studios are still around, seemingly concentrating on writing games (themed around hackers) now. Their exoVirusStop product is still available (advertised as compatible with '3rd Edition'), though the way "Series 60" is used instead of "S60" again confirms that they're stuck in 2004/2005. Their claim for their product is "You will be amazed by the small amount of memory it requires, and its lightning fast scanning engine." Indeed. I'm going to write an app that's smaller and faster though. How many lines of code will it take me to knock up an app that simply prints, on-screen, "Your phone is clean. No virus found!"?
All of which leaves only one of the original companies, F-Secure, of course, doggedly persisting with their (Symbian) mobile security business. From their web page: "Mobile malware such as viruses, worms and trojans have become a
nuisance that more and more smartphone users have to deal with.
Malware can cause unwanted billing, delete valuable information on
the device or make the phone unusable." Well, I guess it could - if it existed and if it was able to spread from device to device. That'll be two 'No's then.
Also from their page: "An integrated firewall combined with virus protection is the
next step in content security for mobile devices. Pure antivirus
solutions are not sufficient in devices that access open public
networks such as Wi-Fi. The new generation of mobile devices are in
many ways like portable PC'c and should be protected with a
firewall." Just because a modern S60 or UIQ 3 smartphone is as powerful as a PC was 5 years ago doesn't mean it's saddled with the same vulnerabilities! In my testing, I couldn't find a single open TCP/IP port in ANY version of Symbian OS. There's is no need WHATSOEVER for an extra 'firewall' utility.
In the face of complete failure by all other entrants to this market, I can only conclude that there are politics and money at work here. F-Secure is a Finnish company, of course, Nokia is Finnish. And with UIQ being based in Sweden, there's a definite local connection here. So the presence of F-Secure in Nokia's Download! app and their partnership with Sony Ericsson for inclusion on the latter's UIQ 3 smartphones isn't necessarily anything whatsoever to do with their being a need for such software.
In fact, I've (literally) lost count of the number of users who've come to me complaining of a slow smartphone and for whom the solution has been to uninstall the anti-virus solution they helpfully installed. F-Secure's software does seem well written, I'll grant them that - if there actually was a threat then I'd be recommending them - but why install any software utility that's going to sit in RAM, wasting any memory at all and using any processor time at all? Don't we want our phones to be more responsive?
New 'solutions'?
Since the original article, new anti-virus vendors have appeared, eager to expand their desktop offerings. Symantec has brought out Norton Smartphone Security, unbelievably only targetting S60 3rd Edition and UIQ 3 (i.e. the secure platforms) and not supporting older vulnerable phones at all. Hey, there's even a flash video showing a geek businessman who 'doesn't want to take chances' with his smartphone - that's why he chooses Norton, etc. But if your smartphone runs any UI on top of Symbian OS 9 then you're not taking chances. So the usual FUD (Fear, Uncertainty and Doubt) syndrome from Symantec then.
McAfee is the other big entrant, although they've toned down their mobile security pitch since they first launched, presenting a more realistic product that's only advertised for 'large enterprise', i.e. it's part of a big company IT strategy and presumably they're eyeing up Windows Mobile as the main vulnerability here - the only reference to anything Symbian is a 'lose 100 pts for credibility' mention of CommWarrior, one of the oldest trojans for old Series 60 devices.
Speak up!
I wish Symbian would speak up more on this. They go to extreme lengths to break application compatibility in the cause of a new OS that's impregnable and then sit back and watch licensees actively promote unnecessary utility software that claims to defend against a threat that doesn't exist and merely damages performance.
Steve Litchfield, 5th Feb 2008
Addendums
PS. I should sound a small note of caution as a rider to the above dismissal of malware: there's a current craze in the uber-geek world (you know who you are) for 'unsigned' utilities, powerful little brutes of applications that you have to digitally sign yourself. The process isn't trivial (although we do like to help) and the signing process has to be done explicitly for every individual handset (different IMEI), but - and it's a very little but - it's possible that a future unsigned 'power utility' could in reality be a 'trojan', a malicious app that does nasty things to your data. Essentially, you'd be saying yes, I'm going through lots of effort to install this on this particular device and grant it full access to anything it wants, knowing that the application might do harm instead of good. Partly as a result of this, and because of the barriers to installation, AllAboutSymbian's policy is to give this unsigned scene a cautious berth. If you're a know-it-all-bleeding-edge geek then go right ahead, but lesser mortals should wait for applications to be properly checked and signed.
PPS. Note that I haven't dignified any of the anti-virus companies with hyperlinks - I'd hate for them to derive extra Google rank and prominence from this AAS article decrying their products.
Categories: Software, Miscellaneous, Editorial Thoughts
Platforms: Series 60, General, S60 3rd Edition, UIQ 3
News Discussion
It seems quite likely to me that many large organizations simply have a blanket policy of not allowing any device to access their corporate network/e-mail/whatever if it doesn't have state-of-the-art virus protection installed - this becomes even worse when those policies become part of an ISO/SOX/whatever audit.
In this situation it may be much easier for IT managers to simply deploy a solution from a renowned vendor, even though it only scans for hypothetical threats, rather than writing an elaborate essay for their boss and the auditors on why this particular class of devices may right now just as well work without one (and bet their job on the fact that it is and remains true).
And, of course, AV vendors are only too happy to comply. ;-)
With Express signing, one pays USD 200,-- per year, and USD 20,-- per signing. Most apps are not checked by a testing house, and the check is less extensive than it used to be.
Express signing gives you access to the *interesting* data on a smartphone, which isn't some set of DRM-protected mp3 files, but a users agenda, contact list and geographical position. If malware authors are willing to invest some extra money for the signing, and can think of a useful app too, they can rather easily create a piece of malware that installs normally and is thought to be safe, because it is signed. Most people won't know the difference between installing a theme and an app, anyway.
Sander van der Wal
www.mBrainSoftware.com
Ironically, I've discovered several APIs which can crash the phone when you *don't* have the correct capabilities.
Basically, most of the testing is done with applications which have all the correct capabilities, and so when you prod a server without the capabilities it expects, you are a lot more likely to find a code path which has not been thoroughly tested (especially in a new server written by a handset manufacturer in the rush to release a device).
Smartphones due to their ubiquity and connectedness have the potential to provide the most effective vector for an infectious software.
If there is a vulnerability in the web browser/ajax engine, widget thing, then all you need is capsid to transport the exploit - lets say a hampster dance widget which can be spread by the kind of people who use facebook.
-People in general write bad code and always will. Mobile engineers are getting worse, not better.
-Security dialogs are pointless....just get rid of them.
-People are irrational- if they have decided to install something they will, flashing red box or not.
- Virus companies generate their Straussian climate of fear and overblow their own effectiveness and always will, that's what they do.
- symbian signed, SIS files and and on target debugging is so rubbish that most hackers just can't be arsed.
But luckily most people up till now don't install apps on their phones. By positioning the mobile as a flexible PC in your pocket, the masses will gradually become awoken of the potential to extend their phones with low signal to noise crap that they do on facebook and then we can revisit this topic.
The overblown hype from AV companies does get to me especially when its targeted at consumers.
The fact that there is no 3rd edition viruses shouldn't be the issue here, the discussion here should be about how likely we'll see a serious outbreak. The whole value of having AV software is dependent of this assumption. I think S60 has holes like in swiss cheese (I am Symbian programmer), but the platform hasn't been interesting enough target for the 'real' hackers yet.
I've received commwarrior 4 times and cabir once when traveling. One in Finland, one in Spain and rest in South Asia. To no effect of course since I would not install these. But I do like to receive them just to see what is circulating around. So I think the problem is real, or at least was since it's probably fading as people upgrade to 3rd phones.
I do agree it's sort of hot air selling this solution for consumers. But calling it fraudulent is maybe too much. And for enterprise users I would even recommend such solution to some extent. If I recall correct F-Secure released their Series 60 solution long before there was any viruses for it. So one might look these things in retrospect, was it fraudulent to have such solution before hand? Is it now?
I hate seeing users misled on ANY topic, and this is a prime candidate to confuse and mislead an awful lot of new users. If S60 phones had unlimited processing power and RAM (yeah right) then maybe a precautionary a-v tool might make sense, as a temporary guard against any trojans in the wild. But the current tools do have real world resource impact AND they're not free. As and when Nokia at least buy out F-Secure and make it a freebie for anyone that's desperately worried, then I'll cut the topic a bit more slack.
|
Originally Posted by Serious 60
Platsec only does so much for you. It doesn't help when there is a programming error in an API.
Ironically, I've discovered several APIs which can crash the phone when you *don't* have the correct capabilities. |
|
Originally Posted by slitchfield
I wish Symbian would speak up more on this.
|
Platform Security makes it harder for viruses and worms to run on the platform, because it puts barriers in the way of propagation, but it does not make Symbian OS or the platforms built upon it "impregnable". If you want an OS that is sold heavily on its intrinsic security try OpenBSD: http://www.openbsd.org/
| They go to extreme lengths to break application compatibility in the cause of a new OS that's impregnable and then sit back and watch licensees actively promote unnecessary utility software that claims to defend against a threat that doesn't exist and merely damages performance.. |
I have several Symbian devices from different licensees, none of them have anti-virus products installed.
Other people sleep easier at night with an anti-virus product installed, possibly many of these are managers in corporate IT departments. Though having recently cleaned up a friend's PC that was infested with viruses & spyware I can understand how these people may fear that viruses could at some point attack their high powered phones.
ttfn,
Tony
On the other side I think about incentives and motives. Compare the Symbian situation with the iPhone: Whole hordes of very skilled hackers descended on that device and cracked it, and cracked it again after each firmware update, at least until now. Why? Because of very strong incentives. If you crack the barriers of the iPhone and let people use the phone on other networks and let people install their own software, you are an instant hacker hero.
Compare this with Symbian: Why on earth should a hacker waste his or her time with a Symbian device? What's in it for the hacker? If I were a hacker, I could hardly be bothered.
I am quite sure that if the same hordes of iPhone hackers would descend on Symbian, with the same elan and endurance, it would take a little longer than with the iPhone, but finally Symbian would crack. But this won't happen.
There are other factors at play. If you as a hacker can plant a trojan at a PC, it is very easy and not dangerous for you at all to start making money from that PC, by renting it out as part of a botnet to spammers.
If you can take over a phone, of course you can also start to make money, but that will hardly be possible in an anonymous way and thus much more dangerous for you.
Again, why I as a hacker should target those well-protected and dangerous Symbian phones when PCs without patches are waiting for me literally in the millions?
I mean, if you yourself take the firmware of your phone, zapp out essential protection features, re-flash your phone with the weakened modified firmware and then exclaim "See, my phone is not secure" or "See how easy it is to hack my phone", how relevant is that?
It can be done, but this issue is trivial indeed.
I've never heard a claim that S60 9.x is unhackable. I've never heard a claim that any OS is unhackable because there simply is no such OS anywhere.
This is a strange thing to have an online conversation about with yourself under different names Hih/rbrunner.
I also think that Hih's mentioning of "unhackable" is a straw man. Maybe some people somewhere pretend such things, but that's pretty uninteresting, because here in this thread people discuss virus matters who understand that *no* system is "unhackable".
The hack that Hih mentions more or less means that a dedicated and somewhat experienced Symbian phone user is - at the moment at least - able to hack *his own* phone. Well, what surprise. And with almost zero relevance regarding the question of virus dangers - the topic of this thread.
You say there are no viruses for Symbian 9. That's true if you stick to the strict definition of a virus - self replicating software. But anti-virus companies are really into anti-malware. Viruses are only a small part of the malware scene, even on PCs. And there is malware for Symbian 9. Primarily commercial spyware at the moment. There is at least one Symbian Signed app out there which allows someone, if they install it on your phone, to listen to your phone calls, read your text messages, find out where you are using cell ID or GPS and so on. Sure, they need access to your phone to install it but most people's partners have enough access to do that and people are often pretty careless with their phones, leaving them lying around on their desk while they go to meetings.
FB-4 haven't "faded away". They are now called SMobile Systems and are doing very nicely.
And I can tell you several ways to produce malware for Symbian 9. It isn't difficult. Remember, signing doesn't guarantee that it isn't malware. All it does is identify the author. So, if I were a malware author, the only problem I really need to crack is how to hide my identity and still get it signed. Tricky but nowhere near impossible.
The biggest vulnerability exploited by malware authors is the user. The main attraction of smartphones to malware authors is that users believe they are secure and are therefore very careless with them. Now that these devices are increasingly being used to hold valuable information, they are more likely to be attacked. That doesn't mean it will definitely happen but it probably will. And, if it does, for some people it will be too late to get protection.
I know of no-one thats gotten a virus. Ive never actually seen anyone claim to have a virus (and thats rare, because people often mistake things for a virus).
And thats being on a number of phone sites, not in the least this one.
And how many people go through these sites? Thousands.