I’ve dug up an old copy of Amstrad Action (issue no.85, October 1992) which has quite a funny letter from a reader in its technical forum section. You can see a scan of the letter below:
This is a really good example of the kind of paranoia users get into. It also probably reflects what was being touted around the media at the time. Earlier in 1992, the Michelangelo virus had caused a bit of a media storm after some hardware and software manufacturers accidentally shipped infected products.
I can’t find any reference on the web to the German Amstrad CPC virus referred to, but I do remember seeing some CPCs in Dixons in Scarborough in about 1990 which had some kind of anarchistic screen displayed saying it had been hacked, which as a kid I found pretty cool. Someone had obviously sneaked in and loaded it up on the machines while the salesmen weren’t looking.
Anyway, fast forward to today and we find this ludicrous – why were users jumping to conclusions about viruses on a machine like the CPC? Similar events are happening today – users seem to jump to extremes – either they ignore the possibility completely that they have clicked on something bad and are now part of a botnet or, at the other end of the scale (like the guy above), that because their computer is running slowly or broken, it must absolutely be a virus. This also extends to either the misplaced notion that Apple machines are immune to malware or that Android devices are riddled with maliciousness. Both incorrect views, but popular ones (and perpetuated by the media in many cases).
Users need independent trusted sources of honest advice and that isn’t necessarily found in those who have a vested interest in selling a fix to them.
The evolution of hacking against mobile devices has been as rapid as the evolution of the device technology itself. Traditionally, mobile phone hacking has centred around the ‘embedded’ part of the phone, that is the electronic hardware. The software and firmware within the device was proprietary to that particular manufacturer so hackers and hacking groups specialised in a particular area. The knowledge and expertise needed to crack devices was very high and technically complex. As a result, it was difficult to understand and even though there was a large grey and black market centred around SIMlock removal and IMEI number changing, the media didn’t ever report it. Large amounts of money were made with lots of this going directly up the chain to the top. As the hacking technology developed, protection techniques were established in order to ensure that the revenue chain was always going back to the originator of the tool. To the ordinary user, they just knew that they could take their handset to a market and get it unlocked. The perception was that hacking a phone was easy.
The first real main-stream attention that embedded hacking got was around the iPhone. Existing mainstream hardware hacking groups had been involved in assisting George Hotz, a 17 year old at the time to create a hardware crack which would enable the removal of the SIMlock and ‘jailbreak’ the device, allowing non-Apple approved applications to be installed.
The public perception of hacking is extremely confused. The recent “phone hacking” scandal in the UK was really unauthorised access to voicemails on the servers of the mobile operators. Users don’t really understand where they are with regard to their own phone security or what they need to do. The anti-virus vendors in particular are responsible for sabre-rattling with respect to the threat to mobile devices. They have repeatedly declared “20xx” (choose a year) as “the year of the mobile virus”. This is simply false and shows a complete lack of understanding of the technologies involved. Indeed in 2004 one anti-virus solution completely filled the application memory of a phone such that no other application could be installed. Perfect protection then! There has been no mass malware outbreak to-date. The only ‘major’ incident was various variants of ‘commwarrior’ which was an MMS virus which propagated via users’ phonebooks. The anti-virus vendors have now been so discredited in the mobile space that they have used up their opportunities for funding and convincing users that they need to purchase protection. Ironically, the year is upon us where anti-virus would provide real value-add to users.
The perfect storm is approaching. The unification of devices under common platforms such as Google’s Android, easy application and widget development on an insecure platform (the web) and weak application policy mechanisms (such as deferring key decisions on permissions to the user) are all leading users down a dangerous path. There are mitigating factors though. The inherited knowledge from the days of PC viruses has allowed the development of some good security defence technologies and processes. Apple, at one end of the scale has a very rigorous application inspection process, both automatically and manually, whereas Android’s is much more open and therefore open to attack by malware authors. Sideloading of non-digitally signed applications is also generally restricted. In early March 2011, DroidDream was identified in around 50 applications supplied by 3 developers to the Android Market. These applications were originally legitimate but had been cracked and dressed up as Trojan versions of the originals. They were only spotted because someone noticed that the author was different to the original. Immediate action was taken by Google to remove the apps and ban the developers, but the malware is still out in the field at the time of writing – an estimation of between 50,000 and 200,000 downloads for one of the applications is quite a severe incident. Other incidents that have taken place over the past couple of years include suspected phishing applications on Android, attempts at creating mobile botnets in China, malicious multi-part SMS messages which crash phones through to rogue ‘Hello Kitty’ wallpaper applications which suck out user data and upload them to IP addresses in China.
It is clear that hacking against mobile devices is a developing discipline. The fight seems to be being won in the hardware space, but much more work needs to be done to protect users in the application space – and now. And the bottom line for consumers? They just want to be secure, without any hassle.