Mikko Hypponen: Average Smartphone User or Black Swan?
So CA is accusing F-Secure of FUD around the mobile threat. Not hugely interesting (amusing, yes, but interesting? No - glass houses.)
However, one extremely interesting data point in F-Secure's self-defense post is that Mikko Hypponen from F-Secure has been hit by mobile phone viruses FOUR times:
Is the threat real? Yes it is. I know, because I've been hit four times myself. Of course I'm running our antivirus on my phone, so I haven't actually been infected. But a Bluetooth virus has tried infecting my phone four times so far. Twice in Helsinki, once in Stockholm and once in London.
Personal anecdotes are always interesting when used as proof points. My own anecdote is that Mikko is the first person I've ever heard of who has been attacked by a bluetooth virus. And he's been attacked four times.
Has anyone else out there ever been hit by one, or have a friend who was infected? Is this a European problem? (It definitely would explain my lack of first-hand knowledge.) What kind of false positive rate does the detection software have?
i seem to recall a video with mikko saying that smart phones were more popular in europe than in north america... more susceptible devices generally means the population is better able to sustain infectious malware...
also, it should be noted that the anecdote is just the proof he provides in that one particular article...
Posted by: kurt wismer | July 27, 2006 at 01:44 AM
@Kurt -
Yes, I heard that, too. I wonder if that popularity is enough to correlate to Mikko to determine whether 4 attacks is typical or an extreme outlier.
Posted by: Pete | July 27, 2006 at 04:00 PM
I am sure there are enough folks who want to own Mikko's ass badly enough to hit him like that ...
Posted by: Anonymous | July 27, 2006 at 05:35 PM
@pete -
i don't know enough about mobile malware to say if mikko is an outlier or not... however, in the email malware domain the encounters (not necessarily incidents per se) per person has a rather high variance... i don't think it's unreasonable to imagine that the same could be true of mobile malware...
there are a lot of factors that can affect it and for bluetooth malware especially geographical population density of susceptible devices is a big one - as is sociability of the phone owner (cell phone or no, if you never leave your house you're much less likely to come into range of an infected phone)... f-secure operates in helsinki, a fairly high tech center that is also home to (one of?) nokia's headquarters... interpret that as you will..
Posted by: kurt wismer | July 28, 2006 at 12:19 AM
I've got no malware encounters, yet, but have been running an experiment at home logging all discoverable bluetooth devices that go by. There's quite a lot, though its mostly the same devices, day in day out. Even without an attack, you can do some good traffic analysis, and I should be able to give a breakdown of phone vendor during the analysis.
Maybe finland has enough of a critical mass of devices that the viruses/worms can actually spread, so infecting even more of the devices. They need to be physically close to spread, so normal network epidemology won't apply. Its more like classic medical diseases, where you need enough of a susceptible population in range...
Posted by: Steve Loughran | July 31, 2006 at 11:36 AM
A colleague of mine asked me to help her son get Cabir/Carib off his phone. This was in the UK, so this shows that Mikko isn't the only one who gets them.
Posted by: | July 31, 2006 at 11:44 AM
i've seen bluetooth/mms virus live and spreading at my job. But we got it disinfected.
And how did we notice it? Well, it tried to spread to my workmates phone!
Posted by: Janne | July 31, 2006 at 11:55 AM
Hi!
I live in Finland and my phone has been attacked over 20 times. I'm attacked once a week basically. Once my co-workers phone started to send me messages and I found that he caught Commwarrior.B. So I told him to disable BT and install mobile av solution. =)
Posted by: Teemu Lokka | July 31, 2006 at 11:58 AM
girlfriends relative got a message he accepted, after that his co-workers begun getting obscene mms messages. i havent yet investigated the phone.
Posted by: marko | July 31, 2006 at 12:00 PM
Google is also a good source for spotting what has happened. E.g very specific search, by looking for: "cabir mobile virus california" (without quotes) gets you news about things happening in USA. Naturally this is very specific search only limited to Cabir.
Posted by: Ted | July 31, 2006 at 12:01 PM
a friend of mine was hit by Commwarrior at the Düsseldorf airport.
We desinfected the phone using the desinfection tool provided by f-secure and disabled his bluetooth.
So, even if its not "wide spread", or lets say, even if there are only a few infections out there (compared to PCs), its a real problem
Posted by: Stephan | July 31, 2006 at 12:27 PM
Mountain View in-n-out, .sis file, sent to my laptop. Not sure what it was, but it contained a bunch of application names I assume it would try to pose as ("new anti-virus update", "free ringtones", etc)
Posted by: lf | July 31, 2006 at 12:57 PM
Hi. I'm here just to tell you that I've offered bluetooth viruses in virtually every single country I've been working, and douzens of times this year only. In some cases I really need to switch bluetooth off just to be able to work with my phone. I understand the point of your blog entry, but it seems like you really didn't understand what Mikko tried to say. Don't be a smart ass.
Posted by: Mobility consultant | July 31, 2006 at 01:02 PM
I have received Comwarrior while walking around in a shopping mall here in the Philippines. In the course of less than 2 hours, I got hit twice. I was enabling my phone's bluetooth as an experiment to see how prevalent this malware is as we have received several reports(I used to work in an AV company). This was around a year ago.
Posted by: ex_pinoy_aver | July 31, 2006 at 01:06 PM
Why Mikko travels a lot with his phone's bluetooth ON? Because he needs to collect any bluetooth connections on any cases around the world to find any viruses or something else. Typical user won't hit by virus, because he/she don't even know how to turn bluetooth on (it is not by default). They use cables and so on. IT'S HYPE, thanks to Mikko in their blog.
Posted by: Nokia 6600 user | July 31, 2006 at 01:13 PM
Me and my father was attacked by a BT-virus trying to send a .sis-file claiming to be from a "Beatiful woman", only way to stop it was to turn off BT.
Posted by: Anders Liljeberg | July 31, 2006 at 01:21 PM
Jos Mikko haluaa keskustella asioista, hän perustaa oman palautekanavan (Eikö niin, Mikko. Luethan sinäkin näitä.;) En viitsi sähköpostilla vaivata, mutta kommenttia olis kiva heittää sinnekinpäin.
Posted by: | July 31, 2006 at 02:08 PM
Go download Blooover or any Bluetooth listening software and watch the number of open Bluetooth connections out there. I picked up 74 open connections at Interop in Vegas during one session. Bluetooth and text messaging viruses are a real threat, particularly in Europe and Asia. If you think Mikko's full of hot air, then you're in for a bit of a surprise when you get p0wned by one of these viruses. Enjoy the Skulls virus. It's a nice one.
Posted by: Mike Anderson | July 31, 2006 at 02:28 PM
As somebody who works on a mobile tech helpdesk all day long in the UK I know they are out there. Most people assume that a bluetooth file transfer from a mate is just another porn clip or a free ringtone and only after the phone crashing, battery life being cut down or everyone in the office noticing do they realise they might be infected (and most times I still have to tell them that they have been infected and that it was their fault)
Posted by: artesea | July 31, 2006 at 04:03 PM
Disclaimer: I work at F-Secure.
Now that the disclaimer is out of the way I should note that I did not get attacked by a mobile virus. However, while using a programme that listens to open Bluetooth phones, my phone was able to "see" more than 600 phones with Bluetooth enabled until I stopped the experiment 30 days later.
Now, I did not get infected by any BT virus, but it is easy to see how an infected phone can easily reach a very large number of phones with BT enabled.
Posted by: Vasco Duarte | July 31, 2006 at 04:45 PM
I've not been hit personally, due to having a cellphone rather than a smartphone. I have however helped someone at Sussex University (in England) with removing a variant of Cabir from their phone. They must have got it from somewhere, which means at least one other person has it. Unless that other person was the original source (unlikely, this was a while after the discovery of Cabir), they must have got it from somewhere, which means at least one other person has it. You can continue this line of reasoning all the way back to the original source.
Posted by: Thomas | July 31, 2006 at 04:46 PM
I have been attacked by Cabir once in Asia. Some of my friends were infected too. I think it's a real threat.....
Posted by: Dada | July 31, 2006 at 09:54 PM
I've been analyzing mobile malware for a while now. Although mobile malwares cannot propagate without social engineering stuff, it can irritate the hosts mobile user making him/her accept the malware file sent (if it is within range of the infected bluetooth device) and with the help of curiousity, they might even install it in their mobile phones. After this the infection grows.....
I've been in a lot of places and I've encountered several attacks, in Europe and in Asia mostly with Commwarrior, and Cabir. Mobile malwares/viruses is a real threat!!!
You should be careful of these malwares especially those with payloads that might destroy the operating system of your mobile machine.
Posted by: Francis | July 31, 2006 at 10:02 PM
i always get cabir and comwar when i was still in manila. its good thing i have one antivirus for mobile installed. i still have a copy of these two malwares in my phone though, if you want i can give you a copy...
cheers
Posted by: Crypt_onyte | July 31, 2006 at 10:05 PM
When you go to a mall or in any crowded place in Manila, Philippines with your bluetooth enabled cellphone, you will get a lot of file transfer requests. All of these file transfers have a [dot]SIS extension name. That's why I never turned-on the bluetooth on my cellphone when i'm not using it.
Posted by: AkTiBiStA | July 31, 2006 at 10:11 PM