Security firm marketing tactics manage to fool the BBC

* And that's assuming that the malicious code writer managed to get a Symbian Signed certificate for his file by submitting it on the Symbian Signed website and getting it approved from them with all the rights required to run amok.

Couldn't agree more.

Steve, you ought to put down the gauntlet to these AV companies to try and infect your phone without physically touching it. If they can't, then there's no way a virus could spread to it. I'm sure they'll be represented at the Symbian show, try asking them to do it.

To be fair you could have the Bluetooth on, but that's probably the only concession they should have.

And that's assuming that the user was foolish enough to accept the incoming Bluetooth or MMS item in the first place.

...and a fourth condition too: the user has to be within 10 metres of someone with an infected phone that uses the same version of the same operating system and has Bluetooth switched on.

That condition alone is extremely unlikely, I'm always amazed by the way anti-virus companies seize on Bluetooth as a transmission method. How often are you really that close to someone with a compatible device that has BT switched on?

And combined with Steve's other conditions I'd wager that no one has ever EVER unwittingly been infected with a BT virus on Symbian.

The only transmission method that makes sense would be some kind of internet or phone network-based one, but that would still only work on one OS (and possibly only one OS version too). That's the main reason Mac and Linux computers are so safe to use, they simply aren't compatible with viruses written for Windows.

Phones run so many different OSes (Nokia has two: Symbian and NokiaOS, Samsung has even more) that virus writers would have a tough time picking a target, especially as the vast majority of phones don't even run native applications. Smartphones as a whole are only about 10% of the market, so any smartphone OS would only represent a few percent of total phone users, which couldn't provide the sort of havoc that virus makers typically want to achieve. The main reason PC viruses spread so far now is because 90% of computer users use the same OS, which makes it very easy to create spectacular fast-spreading malware. If the PC OS market was as splintered as the phone OS market, computer viruses and malware would be a much much much smaller problem.

In fact it's a bit like real life: the greater the variety of genes in a species, the harder it is for real viruses to infect the population because the defences used by the immune systems vary so much, and if viruses can't infect someone successfully that person is much less likely to pass it on to those who are vulnerable. Diversity is the best form of defence against viruses of all kinds.

Correct me if I am wrong, but from Steve's story it appears that a malware could get to your inbox by simply someone sending a spam MMS? Isn't that fairly easy to do, and the user does not have to accept an incoming MMS. It will get into your inbox no matter what, no?

If that's the case, I think it is quite conceivable that a lot of people would open the MMS, and that a few here and there could install something.

So, what EXACTLY does your phone say? Simply that the application is untrusted or something stronger? If the former: that's what I think it will say on any non-Symbian signed application, no? And there are a lot of fairly well known apps (although cannot think of one now 😊 ) still out there that are not Symbian-signed, no?

If there people accepting all kinds of other spam (hell, sending money to a Prince in Nigeria springs to mind) its not at all inconceivable that some people would also install something like this, even if there are 3 warnings or what not.

In short: to say that it cannot happen because its extremely unlikely (and iif something can be in theory spread through MMS, I am not sure you can claim its unlikely to get at least to the inboxes of peoples' phones) and that most people are smart enough is not probably not assurance enough for a company that really likes to worry. So, as such, I think its ok for Nokia to e.g. include security software on the E71 etc.

And no, I don't work for security software company.. 😃

Correct me if I am wrong, but from Steve's story it appears that a malware could get to your inbox by simply someone sending a spam MMS? Isn't that fairly easy to do, and the user does not have to accept an incoming MMS. It will get into your inbox no matter what, no?

AFAIK it's not possible to install a native executable app from an MMS, which is what a virus would have to do. Some of the stuff in the BBC article is pretty close to outright lies.

The nearest you could get is a text message that included a URL to a download site, but then the user would have to install an app from a strange site they've never heard of, and they'd get these "Untrusted Content" warnings, and even if they ignored the warnings the app couldn't send out any further texts because only signed apps can access messaging or calls.

If there's no way for a virus to spread automatically by this method, then the method is pretty much useless to virus writers.

? Simply that the application is untrusted or something stronger? If the former: that's what I think it will say on any non-Symbian signed application, no? And there are a lot of fairly well known apps (although cannot think of one now ) still out there that are not Symbian-signed, no?

It says that the app is untrusted and may cause damage, it's pretty strong. I think it puts a lot of people off installing unsigned apps (which is a shame, but obviously better than installing malware).

I agree there's nothing to distinguish the two warnings, but then there probably shouldn't be because anyone could set up a website full of unsigned apps claiming that they're legitimate. They could even alter a legitimate application so that it contained malware, in which case the warning would be very appropriate indeed.

The ideal solution to this might be an S60 app store built into the phone which contained all 100% signed software, which would give devs a very very big incentive to get signed and give users a totally trustworthy source of software. It would make casual users much less likely to install anything unsigned, and those who know about unsigned apps would probably be clever enough to distinguish them from malware.

In short: to say that it cannot happen because its extremely unlikely (and iif something can be in theory spread through MMS, I am not sure you can claim its unlikely to get at least to the inboxes of peoples' phones) and that most people are smart enough is not probably not assurance enough for a company that really likes to worry

It's all about the odds: I'm sure somewhere on the internet there are instructions for picking the lock on my house door, but if my lock type is one of the hardest to break into then I don't think I'd worry about it.

There's a theoretical risk but would that really justify installing a 6 inch steel door with fingerprint scanner etc? Such a solution would be overkill and probably cause more problems than it solves (such as whether my building can stand the weight of such a door). And if none of my neighbours have ever been broken into, then there's even less reason to purchase such a door.

AV software on phones is the equivalent of that steel door, it takes up a huge amount of RAM and may interfere with the normal functioning of the phone. If there's no proven need for such software, why install it?

Large numbers of Windows PCs are known to regularly get infected with malware so there is a proven need for Windows security software, but no one has ever observed such infection on Symbian devices except in the laboratory. I have never installed any AV software on any mobile device, and I've never been infected with any malware or observed any odd behaviour as described in the article. I'm a power user, so why hasn't it happened to me in all this time? I've often seen Windows malware, why do I not see any Symbian or other phone malware? The article talks about strange apps asking if you want to install them, but I've never had that happen to me. Why not? Could it be that it just doesn't happen in real life?

I'm not saying it couldn't happen, maybe one day it will become widespread, but until it does happen people should concentrate on much more likely threats. There are much easier ways for scammers to steal from you, for example by tricking you into sending premium rate texts or calling premium rate numbers, which would work on all phones from all manufacturers and could potentially net hundreds of euros per successful victim. They often operate from overseas so there's no way to stop them.

I suspect that a piece of malware, if installed through the warnings, could probably have access to the contact store. But then, if it wanted to send information via Bluetooth or MMS (in order to propagate itself) it would have to ask the user's permission. For EVERY contact/attempt. A user would get VERY suspicious very quickly.

In fact, the sheer fact that none of us knows *exactly* what's involved here speaks volumes. It's because noone outside warez/crackz-infested circles has ever even seen an infected device and thus doesn't know how such malware really behaves on a modern device.

The only place any of us are likely to come across a piece of Symbian malware is likely to be in somewhere like F-Secure's labs. Which is hardly 'in the wild'. Let alone running 'amok'....

If malware can't propagate because of platform security then it's not going to get very far, is it? It's a trillion miles from malware under Windows, anyway.

Tzer2 wrote:AFAIK it's not possible to install a native executable app from an MMS, which is what a virus would have to do. Some of the stuff in the BBC article is pretty close to outright lies.

The nearest you could get is a text message that included a URL to a download site, but then the user would have to install an app from a strange site they've never heard of, and they'd get these "Untrusted Content" warnings,

Well a MMS is little more than a web link to photo, video or yes even a .SIS file received by the phone company and put on their server. For a .SIS the normal installation warnings will appear just as if installing from Bluetooth, a memory card, etc...

However there are no such viruses for devices using Symbian OS versions that include Platform Security, i.e. either S60 3.0 or UIQ 3.0 or later. (MOAP(S) has not supported install of native apps so far.)

CommWarrior & Caribe were reported in some regions a few years ago, but have pretty much disappeared with the affected handsets becoming worn out or obsolete and many network operators blocking .SIS files in MMS messages.

Goodnight,
Tony

when i 1st got my n95 8gb i knew hardly anything about symbian phones and i tried installing an app from a blog what had a Trojan hidden in it called red browser or summat
as inexperienced as i was at the time i got a bad feeling and quit installation and scanned the file on PC and Norton detected it and reported back that it sent multiple premium rate texts buy conning the owner into giving it permission
but as new to smart phones i was at the time the security was good enough to stop me making a big error .
so i agree an AV is not needed as long as you take security prompts serious and make sure u investigate anything you feel is suspicious

slitchfield wrote:I suspect that a piece of malware, if installed through the warnings, could probably have access to the contact store. But then, if it wanted to send information via Bluetooth or MMS (in order to propagate itself) it would have to ask the user's permission. For EVERY contact/attempt. A user would get VERY suspicious very quickly.

No.

After installing a self-signed app with the full user-grantable capability set it is able to send MMS and Bluetooth messages silently. Bluetooth only if Bluetooth is on, though - enabling Bluetooth requires WriteDeviceData.

Steve, I understand your frustration with the AV companies - they are vermin, But you should only fight FUD with science.

"meaning that there's simply no way a piece of malware could call out in the way described without warning the user every single time it wants to do anything"

You are too bought into the brand of symbian signed. We have already seen how the update process on the PC can be subverted to download malicious images to the device during a firmware update. The vector could be something most unexpected.

These days it could be a bufffer overflow in webkit (which is a process with network capabilities), it could be in the Flash interworking, even a buffer overflow in the SMS stack could execute code in the messaging server, which is a very high capability device.

Do challenge the AV companies, but don't be a moron about security like so many before you.