Become a fan of Slashdot on Facebook


Forgot your password?
Back for a limited time - Get 15% off sitewide on Slashdot Deals with coupon code "BLACKFRIDAY" (some exclusions apply)". ×
Worms Security

First Symbian OS virus to replicate over MMS 179

Shachaf writes "A new virus, CommWarrior.a, is the first to replicate over MMS (Multimedia Message Service). From the article: 'Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.', and '"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.'"
This discussion has been archived. No new comments can be posted.

First Symbian OS virus to replicate over MMS

Comments Filter:
  • First AV As well... (Score:4, Informative)

    by RobertTaylor (444958) <> on Tuesday March 08, 2005 @01:25PM (#11879289) Homepage Journal
    The first virus... but lucky there is already anti virus software [] out there for your p910 :)
    • by tabkey12 (851759)
      Please no...

      Why is Symbian so insecure - surely an embedded OS is not difficult to harden? It is not as if the phone will be running lots of insecure services by default.

      Another reason to stick with my simple phone!

      • This isn't really their insecurity, it's the ages-old "dumb user opens executables from random stranges" problem. There's not much you can do at the OS level to stop that, at least without impeding functionality (people want to be able to send games to each other)
        • I think the point the GP was making was "why does a phone have the capability to EXECUTE APPLICATION CODE instead of just being a phone!?!?!"

          (at least, that's my response to this whole debacle...)

        • Although like usual, it's not the "dumb user opens executables from random strangers" problem, but the "dumb user opens executables from trusted friend" problem. From the old days of infected-floppy-sharing to modern viruses that pull email addresses from users' address books, this goes after the type of people who think "I'm curious what Uncle Fred is trying to send me, so I'll just click "OK" repeatedly to open it!"
        • Why does a frelling PHONE need to be able to EXECUTE attached files in the first place?
      • It is not as if the phone will be running lots of insecure services by default.

        Uh... all communication coming into the phone requires a service to receive it. Bluetooth, MMS, and the calls themselves all need something to receive them. A communications device is going to be insecure by nature unless great effort is taken to secure it. The reason this hasn't been a problem until now is because people couldn't remotely control or transfer data (other than plain text and the calls themselves) to and from th
    • Wow! (Score:5, Insightful)

      by FreeLinux (555387) on Tuesday March 08, 2005 @01:30PM (#11879364)
      What a remarkable "coincidence".

      I never put any credence into the ativirus companies writing viruses conspiracy theories but, that one's just too fishy.
      • by oGMo (379)

        Eh, look at it this way, does Microsoft write viruses? After all, it's really suspicious that you hear about vulnerabilities and there are already viruses that take advantage!

        Well, not really. It's just there are a lot of people in the world; some of them strike quickly to write viruses, some of them strike quickly to write antivirus software.

      • Not really. The AV companies have already developed the application. They're just waiting for the market to want it. If no one has ever heard of a virus for a phone, how many people are going to buy the product?

        I've read interviews by some AV companies that say they have already developed an AV program for linux, but they won't release it until there's an actual virus to create the demand.

        Besides, do you really think an AV company is going to risk the whole business by covertly developing a virus? If
  • I'm willing to bet that wireless telco's created it to increase revenues... ;)
    • Too much tinfoil can cause interference with your cell-phone reception..

      besides, it couldnt be the phone companies thats to direct. its obviously the anti-virus companies..

      They're in it with the martians.
    • Why bother with a virus when they already spam you with ads? I had a rather unpleasant experience with verizon not too long ago

      I started recieving text messages to upgrade my service to another plan, almost on a daily basis. After awhile I responded to one of them stating that the attorney general of my state would be notified if any more unsolicited messages arrived. Within 10 seconds of sending the reply, my phone rang. It was verizon telling me that in my agreement was a clause allowing them to send 'a

      • That's weird. All of T-Mobile's messages to me are free. And I get about two ads from them a year. (It may be because the voicemail notifications are over txt, I dunno).
  • Well (Score:3, Funny)

    by Anonymous Coward on Tuesday March 08, 2005 @01:26PM (#11879297)
    It's a good thing I have no friends then.
  • by Anonymous Coward on Tuesday March 08, 2005 @01:26PM (#11879302)
    All of my coworkers laugh at me for using such a simple phone with only basic features and services. Guess there are some benefits afterall.
    • by Anonymous Coward

      Actually, we laugh at you for OTHER reasons, but if you want to believe it's your crappy phone, go ahead.

    • You do realize that you have to accept the file and confirm that you wish to install the application? It doesn't spread without actually being installed. The same with the BlueTooth "viruses", first you have to accept the Bluetooth connection - then you have to accept to install the file that was sent to you. No different than eMail viruses nowadays, if you get one - you're an idiot, sorry :p
    • by gl4ss (559668) on Tuesday March 08, 2005 @02:06PM (#11879769) Homepage Journal
      1: you can keep the mms settings off - there by being immune from this.
      2: you need go through the installing of the application yourself.
      3: when installing it warns you that it is not signed and potentially unsafe.
      4: you could get one of the antivirus solutions which mostly are snakeoil(because if you are smart enough to install one.. wouldn't you be smart enough to NOT click through the install?).

      the way this is most probable to spread is by intentional spreding by some kids, like other symbian 'viruses'(they're all programs that you have to click through the install by yourself) it's almost impossible to bump into this by total accident in the wild.

      what's to note is that these symbian phones are open in the same sense a pc is - ANYONE can develope anything they want for them(and they're STILL more secure than a pc with the modem plugged to the wall). including you! if you're a nerd you should appreciate that possibility, if you're not wtf you're doing on slashdot anyways?

    • A lot of people laugh at me for using a manual typewriter and correction fluid, and sending letters via snail mail, but I've never gotten a virus. Except when my aunt Chloe sneezed on that postcard.... Guess there are some benefits after all. ^_^

      (Sure, you're safer, but most people prefer functionality over safety. I'll keep my WAP browser and Bluetooth contact synchronization, thank you very much, even with the gaping hole in Bluetooth.)
  • Liability (Score:4, Insightful)

    by Thnikkaman (818752) on Tuesday March 08, 2005 @01:27PM (#11879311) Homepage
    I wonder if this falls under the protection of the service provider. It seems to me that they shouldn't be able to charge the user for a vulnerability on their part, but what companies should do and what they actually do are very different things.
    • Re:Liability (Score:3, Insightful)

      by hikerhat (678157)
      I was thinking the same thing. It should be like a credit card, where you aren't liable for more than $50 or so of fraudulant charges if you card is stolen.

      But my cell phone is about 5 years old now, so I don't have to worry about these things.

  • I'd like to know why those MMS and SMS are priced the way they are?
    Why wont anyone allow a flat-rate service? I mean.. it's data, but Im sure the cost of building the cellular networks should be paid off by now (excluding 3G).. at least here in sweden. (dont know how it's worldwide)
    • by hsmith (818216) on Tuesday March 08, 2005 @01:30PM (#11879358)
      Why? Because it is PURE profit right now, if everyone is charging the same, they all can milk users while they can. One day it will be competitive, right now they all "agree" to keep prices high to rip off users. Do you really think SMS messages cost the $.20 they do to send? of course not. $.01 would be expensive still.
    • the current price is what 12 year old girls find acceptable... they are happy to pay it so why reduce profits?
    • MMS is priced the same way data is on most packages: by the KB. You can buy data packages and be covered by a flat rate up until you exceed your package's quota. SMS messages are charged a flat rate per message (they are not packet data, but they can be on some modern networks depending on your phone and what else you're doing on the phone at the time -- in this case you'd pay per KB), or similarly you can buy a package of messages and be covered until you exceed your quota.

      It's the same for long distance
    • T-Mobile offers unlimited data and SMS on their Sidekick plan. I'm pretty sure they offer unlimited SMS to encourage people to use it instead of email/IM, which take up more air time/bandwidth. As an added plus, the Sidekick stores SMS messages on your SIM, so they can't be retrieved should someone discover your password. ;)
    • Which is why competition is a good thing. Up until recently, here in my country (which is said to be the SMS capital of the world...), there were only two GSM mobile providers (Globe [] and Smart []). They both had nearly the same rates and pricing, and your only reason for choosing one over the other was if all of your contacts were generally concentrated on one network or the other (because non-interconnect rates were slightly lower) And then came along a third (Sun Cellular []), and they introduced a flat-rate pr []

  • Eh.. (Score:3, Interesting)

    by Eric(b0mb)Dennis (629047) on Tuesday March 08, 2005 @01:28PM (#11879338)
    So, the question is...

    Are the customers reponsible for all the charges incurred from this virus? Being that it probably uses a flaw in the phone's OS itself.. how is this going to work?

    Nobody is going to want fancy new fangled smart-phones if they get infected with viruses and run up your phone bill monthly..
    • Re:Eh.. (Score:5, Insightful)

      by plover (150551) * on Tuesday March 08, 2005 @01:31PM (#11879378) Homepage Journal
      If I had a phone like this and it was infected, and it ran up a huge bill, I'd first talk to my service provider. If they refused to waive the charges, I'd then talk to the cell phone manufacturer.

      Seems like the cell providers could kill this quickly. Can't they recognize the virus signature in the messages that are transmitted? And can't they trace them back through the links to find out where it originated? Are there really holes that big allowing people to upload crap like this anonymously?

      • Are there really holes that big allowing people to upload crap like this anonymously?

        Though I haven't checked lately, my cell provider's webpage had an interface to send text messaging to cellphone subscribers...

        So if you took your war-messaging script to a cybercafe, you'd have some measure of anonymity...
        • Good point. My understanding is this is an MMS virus, though. Can you inject an MMS anonymously via the web, too? Given the price they charge for the damn things, I'd sure hate to be spammed by web-generated MMSes.
  • ...message, on an already well known-format, shouldn't it be possible for service providers to block the messages through the MMS MX handlers? And/or simply not bill the customer for the sum of messages sent with that format. Of course, isolate them from the network if possible (remove their permission to emit MMS messages at the MX) until the malware can be removed from their device. Just a thought. Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.
    • by Capt'n Hector (650760) on Tuesday March 08, 2005 @01:41PM (#11879487)
      "Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better."

      Yeah, god forbid a cellphone company take advantage of unsavvy customers....

    • by plover (150551) * on Tuesday March 08, 2005 @01:45PM (#11879527) Homepage Journal
      It's not in the short-term best interests of the cellular providers to block the virus. First, it involves acknowledging the virus exists, which tends to scare people. Next, and here's the cynical greedy part, people who blindly pay their cell phone bills every month without complaint make up a large part of their customer base. If they can make a few million dollars off the virus, where's the incentive to shut it down? Willingly give out reimbursements to anyone who complains, but let the rest of them just continue to fork over cash.

      Sorry to be so cynical, but I just see these "services" (and all cell phone costs) as tremendously overpriced. It's just data. The bandwidth has a fixed cost (it's just the sum of maintenance, capital investments, marketing, etc.) Throw in 10% or 20% over cost for a profit margin, and call it done. But no, they have to have "minutes" and "plans" and "packages", all of which are expressly designed to mislead the buyers into spending as much money as possible, regardless of the amount of "service" they "consume." And we, the sheeple, consume it readily.

    • Are you joking? do you know how much profit phone companies make from MMS!? for them this is malware heaven "whats that sir? you say your phone has a virus and now your phone bill has gone through the roof? oh dear, we can send you the anti-virus patch over the network.. for a one time fee, but we can't cancel the charge from messages the virus sent.. company policy"
    • For Khaz Modan!

      Thank you, thank you. I'd like to thank all the talented nominees, and of course, God, above all.

      One love.

      (-1: Offtopic)
    • Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.

      I think this should be considered to be no different to internet connection. In this context I'd like to say "PC /w internet connection" == "Mobile".

      If you have a internet connection for which you pay per used bandwidth and you get a virus, do you get refund? You get 0wned and someone uses you as a spam relay, you get black-listed. Should you get refunded?

      No. You should make sure tha

  • Trojan not virus (Score:5, Informative)

    by lxdbxr (655786) * on Tuesday March 08, 2005 @01:30PM (#11879368) Homepage
    I know the nomenclature is largely ignored nowadays, but I would call this a trojan not a virus since it requires the user to run it to start spreading: Quote from the ZDNet [] version of the story:
    A recipient also has to accept and download CommWarrior in order for the Trojan to launch itself.
    It's not like it starts running as soon as you open the MMS message; you actually have to take steps to run the application contained in the message. Of course some people will run anything...
    • Re:Trojan not virus (Score:2, Informative)

      by ms139us (723585)
      Parent is correct. Has anyone on slashdot ever tried to install unsigned software on a Symbian device?

      It is littered with warnings and confirmation screens. Anyone who got this virus had to endure the installation process confirmations. It is worse than a EULA.

      I find that I lack sympathy for a user who repeatedly selected "ok" and "continue" after being warned that this software cannot be verified -- software that arrived unsolicited.

      It takes a whole new kind of inattention to allow this virus t
  • Viruses (Score:2, Funny)

    by zecg (521666)
    Anti-virus software is a sign of platform's maturity... a sort of an OS Bar Mitzvah. There are probably Nokia engineers working on new worms, tightly collaborating with their anti-virus engineers.
  • by PsychicX (866028) on Tuesday March 08, 2005 @01:32PM (#11879396)
    Get a Windows CE phone :)
  • by junkcannibal (849421) on Tuesday March 08, 2005 @01:37PM (#11879447) Homepage
    It seems to me that since most people get their phones for free when they sign up for a plan, the cell phone companies should bear the cost of this virus. This cost will inevitably be passed on the the concumers. My point is that it should be the responsibility of the cell phone companies to keep their products and their networks free of viruses. Dwight Yokel BEEP BEEPING his neighbor in the next trailer over, should not be expected to pay and money or attention to this sort of concern or worry about extra charges on his bill because his cell phone company runs a flawed service.
    • yeah Dweight Yokel should expect me, and the other whatever percentage of the users that don't get this or don't even buy a new enough phone to be vulnerable to pay for him.

      Maybe Dweight Yokel got a computer training lesson he won't forget, and for less money then a computer school.
    • Actually, the phones which are capable of being infected by this virus are NOT the ones they give away free. These are all running SymbianOS, which means for the most part they are high-end phones which have PDA and/or computer capabilities.

      My own telephone is one which could be infected. I have already contacted T-Mobile to find out if they plan on filtering this as it passes through their servers. In the meantime, I just won't accept MMS messages from people I know without verifying that the sender actua
    • This begs the question though, that in the same circumstances of having a MMS provider being responsible for their traffic, shouldn't ISP's be responsible for the traffic being issued over their lines too? But wait a moment, aren't they released of all liability due to their title as a 'common carrier'?

      Before you start pointing the finger at the ISP's, you have to think deeper into the repercussions of moderation of their networks. More moderation simply means more people to control what is being passed th
    • If they pass the cost on to consumers, consumers will respond by dropping subscribing to the most expensive services.

      telco's will have to respond by lowering costs of those services.

      I predict the ultimate result of this will be flat-rate MMS.

      • Actually, on Sprint, they've already got flat-rate MMS (actually, I'm not sure whether it's true MMS, but it has the same effect). $15/mo with $10/mo free downloads for the regular Vision plan, $15/mo with $5/mo free downloads and unlimited Picture Mail (MMS-like service) for the Vision Picture plan.
    • NO, NO, NO, NO, NO!

      Should SBC, Verizon, or Sprint pay for the international calls that the dialer that snuck onto your PC when you downloaded that "download this program for the best XXX" thingy made? NO!

      Should Cingular or T-Mobile pay for the MMS messages that this Trojan/worm uses to replicate, especially after you told it "Yes, I KNOW this thing is unsigned and may be dangerous, but I want to install it anyway"? NO!
  • by gl4ss (559668) on Tuesday March 08, 2005 @01:39PM (#11879466) Homepage Journal
    someone you didn't expect to get it from.

    this needs manual installation by the 'victim'!

    not very likely to spread too far either - a lot of people don't have even the mms settings in place.
    • ...but the text in the MMS says: "Your cell phone clock may be wrong. Would you like to keep it accurate?"
      • STUPID, STUPID, STUPID PEOPLE (although PrecisionTime seems to be popular on Windows XP, and Windows XP has a (semi-neutered) NTP client built-in, not needing PrecisionTime or any other time app)...

        On my Nokia 6225 (not a Symbian phone), I can change that setting from Menu>Settings>Time settings>Auto-update of date & time. Grabs it from the network, auto time zone compensation.
    • Unfortunately I had to review my opinions about people having to be stupid to accept unknown software.

      Well, anyways there is times when people except messages from certain providers. Like when people are arrive to a new country they are quite accustomed to a welcome to a new country messages.

      As an example I know a case where one of our customers did accept Cabir over bluetooth because it was send with a sender name of a local operator. Unfortunatily I can't see a difference in a MMS case. User that thinks
  • What was Paris's #, I need to send her a mms message.
  • the article mentioned in the /. blurb.
  • Not to toot my own horn, but I worked for a company last year, where we made an AntiVirus product for Symbian, which can handle SMS message viruses. website:
  • by bojanb (162938) on Tuesday March 08, 2005 @01:44PM (#11879520)
    From TFA:
    CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.

    Doesn't really seem this is Symbian's fault, CommWarrior just behaves like a malicious application. The user obviously has to install it and then run it to get 0wned.

    Of course, some sort of sandbox environment like in Microedition Java would have been a better design, but I guess Symbian simply wasn't built with something like this in mind. I know Nokia is pushing a model where only certified developers will be allowed to write applications that access sensitive functionality (dialing numbers, sending messages, etc.), but this is not a great solution. It will drive the cost of applications way up, and shaft all the small app developers, because only the big guys will have their apps signed by Nokia.
    • That effort is actually being driven by Symbian. Accessing sensitive information on both future UIQ and Series 60 (And any other Symbian derivative that pops up) will require priviliges via signing.
      • This is true, but it's going to be just another level of OK's for the user to click through. I presume some operators will have the sense to disable the user override feature on their subsidised phones, (to loud complaints no doubt).
  • hehe (Score:3, Informative)

    by Turn-X Alphonse (789240) on Tuesday March 08, 2005 @01:45PM (#11879533) Journal
    When will people learn the more features something has the more holes it has in it. My cellphone can take calls and text, doesn't even display colour but if I have a car accident or I get injured it'll do the job just as well as any "3G super mega hyper magical edition" phone.

    Maybe people need to learn that the home phone is better for calling friends and mobiles are mostly for emergencies and when someone needs to urgently contact you..
  • I just love vendors who shrug and say "This is gonna hurt you a lot more than it's gonna hurt me. Sucks to be you."

    What's the name of this company, 'Lumburg'?
  • Per Symantec - SymbOS.Commwarrior.A is a worm that replicates on Series 60 phones. It attempts to spread using Multimedia Messaging Service (MMS) and Bluetooth as a randomly named .sis file. -- So how many Lexus's are affected? (OK I dont like Lexus's so from now on multiple Lexus vehicles are referred to as LEXEN!)
  • News like this makes me happy that I have a very simple phone with simple features. All a phone really needs is to be able to store numbers and make phone calls. That's it. Anything else that could in any way compromise security should not be included.
  • by SamMichaels (213605) on Tuesday March 08, 2005 @01:59PM (#11879676)
    Perhaps I mis-RTFA or just don't understand MMS, but whenever my mobile is active it causes amplifier noise (talk or send/receive SMS). CDMA or GSM. Computer speakers, car stereo, whatever. Wouldn't a constant transmission be noticable?
  • by CPgrower (644022)
    Why isn't the cell phone's embedded code not written and executed in read-only memory? I understand there *may* be a need for volatile memory to read/write data to a stack/heap; however, why should data written to such memory *ever* be executed as code! I'd really like to know from someone who writes embedded systems for cell phones.
  • by hey! (33014) on Tuesday March 08, 2005 @02:03PM (#11879728) Homepage Journal
    I mean, the RFCs for MIME came out, what twelve years ago? Injudicious MIME implementations have been vectoring trojans ever since.

    So, you'd think they'd have taken a lesson from a decade of history and limited the power of multimedia attachments.
  • by harshaw (3140) on Tuesday March 08, 2005 @02:22PM (#11879983)
    Modern phone operating systems have security features built in where the application installer will only allow *signed* applications to be installed. A virus / trojan wouldn't get signed because it has to go through an acceptance program.

    The first Microsoft smartphone product had this feature turned on - normal joe's couldn't install software that hadn't been signed (the signing process usually costs $$ although recent efforts have reduced the cost).

    Symbian *has* the same functionality. In fact, most commercial symbian software should now be signed, see Symbian Signed Symbian also has the functionality to disallow users to install unsigned programs. It is just that this feature is turned off by default (at least on the phones that I have seen).

    Theoretically, all an operator needs to due is send an OTA message to turn on signing verification. This is easily done on a windows mobile and presumable via WAP push on Symbian. We probably will see operators start to turn on signing requirements by default on symbian phones (hopefully with the capability for users to turn it off so they can install freeware if they so choose).
  • by Jacco de Leeuw (4646) on Tuesday March 08, 2005 @03:40PM (#11880921) Homepage
    The telecom operators are already filtering these infected MMS messages.

    The only problem is indeed the cost of sending these messages. I do hope that operators are not charging customers for these undelivered messages.
  • Im a borderline luddite :)

Nobody said computers were going to be polite.