The anti-virus vendors are referring to this malware as CommWarrior. Two variants have been reported, they are referred to as CommWarrior.A and CommWarrior.B.
The anti-virus vendors are classifying the CommWarrior malware as a worm, as once it is running, it will infect other phones. In order for a device to be infected, the user must first confirm two software install dialogues.
Examination of the CommWarrior worm shows that only Symbian OS phones that use the Series 60 User Interface platform can be infected.
The anti-virus vendors regard CommWarrior as low risk since it apparently carries no dangerous payload i.e. it does no damage to user data or the phone’s functionality.
The anti-virus vendors regard CommWarrior as having little chance of widespread propagation.
A device infected with CommWarrior will infect other devices by sending an installation file over a Bluetooth link or as an MMS. For the target device to be infected it must be a Series 60 device, and either the user must have Bluetooth switched on and discoverable, accept a Bluetooth message and then confirm two software install dialogues, or have MMS set up, install the attachment and confirm software install dialogue.
In other words, the user needs to give permission to install the worm.
To explain infection in detail:
- The malware distributes itself as a SIS file under various names.
- The user’s phone must be a Series 60 phone.
- To be infected by CommWarrior, the user must install the malware on his device.
- When the software install is initiated, two dialog boxes are presented to the user.
- To install the malware the user must then ignore the security warning message and physically click and recognise explicitly that the .sis has come from an unknown source.
- If the user confirms both dialogues with Yes, then the malware is installed and begins to run automatically.
Symbian view on CommWarrior
Symbian takes security issues very seriously and has been working closely with the world’s leading software security and anti-virus vendors to deal with security issues such as these including F-Secure, FB-4, Kaspersky Lab, McAfee, Symantec,Trend Micro and SimWorks.
CommWarrior has been reported as being ‘in the wild’ but its distribution is very limited.
CommWarrior does not exploit any weakness specific to Symbian OS — CommWarrior needs the user’s help to be installed and subsequently disseminated.
CommWarrior can only infect Symbian OS phones that use the Nokia Series 60 User Interface platform.
CommWarrior cannot be installed on FOMA 3G phones or phones that use the UIQ user interface platform such as those from Sony Ericsson, Motorola or BenQ.
Symbian has led an industry-wide initiative to develop the Symbian Signed program under which software applications designed for Symbian OS are signed with a tamper-proof digital certificate that validates the identity of the application’s developer, thus discouraging the installation of unsigned applications. Symbian anticipates that adoption of Symbian Signed will be widespread and will represent a significant barrier to the distribution of malware.
Questions and Answers about CommWarrior and Symbian OS security
Q – Is CommWarrior a virus?
A – No, a true computer virus attaches itself to a host program, CommWarrior does not do this. However, the word virus is commonly used to include worms and trojans as well as true viruses.
Q – Is CommWarrior a worm?
A – CommWarrior is a worm as it does include a propagation mechanism. Strictly speaking, even it isn’t really a worm since it can only infect a target if the recipient actively participates in installing it.
Q – What is the difference between a worm and a virus?
A – A worm contains its own mechanism for spreading itself automatically to new targets without the recipient’s help. A virus attaches itself to a host and is spread along with that host (usually when a document or program is shared).
Q – If I get CommWarrior on my phone, what happens?
A – The battery life will be reduced and the Bluetooth link will be in use at some time. The phone will also send MMS that will be billed by your network operator.
Q – How do I clean CommWarrior from my phone?
A – Obtain disinfection tools from anti-virus vendor companies.
A – Use of the phone is not impaired by CommWarrior, but you should disinfect it to ensure you do not propagate the malware further.
Q – What is the worst thing that could happen to my phone if I activate CommWarrior?
A – CommWarrior would not damage the phone or its software but would drain the battery and make you incur phone bill charges for the MMS it sends.
Q – How is Symbian OS protected from malware?
A – Symbian OS provides a numbers of elements that make it secure. This includes protection from malware through signature checks and virus scanners.
Q – Open standards means open to viruses, aren’t Symbian OS phones susceptible to viruses?
A – An open programming environment can attract both benevolent and (the very small minority of) malicious developers. Symbian OS minimizes the risk of attack by advanced security within the OS itself and the use of application signing schemes (Symbian’s or those of network operators and licensees) and through the use of virus scanners (produced by partners).
Q – What is Symbian doing to prevent viruses or worms in the future?
A – Symbian takes security issues very seriously and believes that mobile security is the responsibility of the entire industry. It requires cooperation and trust – values the Symbian OS open approach encourages. Symbian provides the required infrastructure for security and works with partners, licensees, network operators and standards bodies to further ensure security needs of the market are met. No system for security can be guaranteed 100%. However, Symbian has measures in place to minimize the chance of a widespread attack focused on Symbian OS devices.
Symbian OS provides the following elements in security for protection from malware (viruses, trojans, worms, etc):
- Symbian provides an infrastructure which allows network operators and manufacturers to use application signing (and revocation) for applications which are used on their Symbian devices. This allows the creation of application signing programs which can be used to verify the integrity of applications before allowing their use on the handsets
- Symbian has led an industry-wide initiative to develop the Symbian Signed program under which software applications designed for Symbian OS are signed with a tamper-proof digital certificate that validates the identity of the application’s developer, thus discouraging the installation of unsigned applications. Symbian anticipates that adoption of Symbian Signed will be widespread and will represent a significant barrier to the distribution of malware
- Virus scanners through enabling partners including F-Secure, FB-4, Kaspersky Lab, McAfee, Symantec and Trend Micro.