The Mobile Malware Kitchen Is Open for Business

It seems the days of mobile phone functions have expanded greatly over the years. Phone nowadays can be organizers, email clients, web browsers or music players. The popularity of such devices means that the phone is slowly replacing some of the functions of a computer. In fact, one particular feature that I would like to talk about is the ability to completely customize your phone to have a whole new operating system loaded. In fact, each Windows mobile phone comes with a license for the Windows mobile operating system.

Let’s look into how phones (hardware) are married to the operating system. The process for installing a phone vendor will distribute an operating system for a particular phone model. Once you download the new operating system (usually in a ROM format), you simply flash the ROM file to your phone. The process is fairly straight forward for most people and the end result is the phone now has a fresh new operating system.

Putting aside the legal issues of licensing these operating systems for a moment, there is a trend for phone enthusiasts to install an un-official ROM or a cooked ROM. These ROMs are usually full operating systems that have been heavily customized for performance or functionality gains. Similar to Web 2.0, the content of these ROMs are no longer driven by the provider, but by individual enthusiasts. What’s the concern? Well, like we have seen with the MySpace worms, a ROM author may add an application into the standard ROM which will be automatically installed. Generically, the ROM authors usually post their ROMs online for sharing with other users who may not be as technically savvy and simply lets the application install without ensuring it is safe or not. Now imagine if that program was a BackDoor trojan that attempts to steal the personal information from the phone then sends it to a remote server. Worse yet, the Trojan also has a worm component that spreads itself via SMS, MMS and Bluetooth. Now the malware is spreading itself even further to the victim’s contact lists or other close by phones.

So can this happen? Well, yes it can. Take for instance the wildly popular Apple iPhone’s root password that was cracked within 3 days. Right after that, many of those iPhone users ventured to use their new found freedom but they forgot to do one thing…. close the backdoor on their phone by changing the password on it. Avert Labs has recently blogged about this in the Apply iPhone blog by Marius Van Oers (http://www.labs.com/research/blog/index.php/2007/07/24/apple-iphone/). But the question to ask is Why mobile malware is not as prevalent as Windows malware? The simple answer is that most mobile phones are not used for monetary transactions (yet). Once you introduce a money factor into these phones as a mainstream function, then you can bet that someone will write malicious code to capitalize on their unknowing victims.