“Curse of Silence” attack on Nokia phones hints at more serious mobile malware

A mobile malware attack dubbed the “Curse of Silence” affecting certain Nokia phones could be the harbinger of more serious security threats to smartphones in the near future, according to a security researcher.

The attack, also known as “CurseSMS” was uncovered by security researcher Tobias Engel of the Chaos Computer Club. The attack is a malicious SMS message that when received causes Nokia S60 phones running on Symbian to stop receiving text messages.

Nokia’s N series up to the N95 model and E series up to the E90 are affected. A full list of affected phones is posted on security vendor Fortinet Inc.’s Web site. The Sunnyvale, Calif.-based company has released a clean-up tool to fix the problem.

It’s the latest piece of malware to hit mobile phones via an SMS message, or text message, which is an increasingly popular avenue of attack for hackers. All signs point to a growing security risk for smartphone owners in the near future, says Derek Manky, project manager of cyber security and threat research at Fortinet.

“We’re going to see more of this occur and I see this becoming an even greater issue in 2010,” he says. “This is precisely what we saw with the PC before we entered this cybercrime era.”

Nokia received notice of the vulnerability and after testing, acknowledges that it “may be valid for some of the S60 on Symbian OS products,” according to a statement. The Finnish phone manufacturer says it is committed to security.

Victims of the attack can gain back text messaging on their phones with the FortiCleanUp tool that can be downloaded for free and clean up the malware. The tool can also be used to clean up a variety of other malware targeting mobile phones.

“We have seen more Symbian OS mobile attacks since last year,” Manky says. “This is a denial of service attack, so it is escalating a little bit more from that nuisance level.”

Viruses and malware threats aren’t commonplace on mobile phones just yet. Many of the existing threats are designed to act as a nuisance to the victim, and don’t serve any real purpose. It’s similar to the early 1990s when hackers plagued desktop PC users for fun, and bragging rights. But now hacking is a lucrative underground economy where cyber-criminals attempt to skim financial information from PCs in an attempt to commit fraud.

Now security analysts fear that hackers are travelling down that same path with mobile phones.

“As smartphones become more popular, the likelihood that these devices are going to house potentially sensitive information goes up and the risk potential goes,” says James Quin, senior research analyst with London, Ont.-based Info-Tech Research Group. “But until smartphones are somewhat ubiquitous and there’s some standardization on the platforms, I can’t see mobile malware being a threat.”

One challenge hackers face in hitting smartphone users is the number of different operating systems (OS) being used. Unlike the desktop PC world that is dominated by Windows, the smartphone market is split between several competing software including the BlackBerry OS, Apple’s iPhone OS, Windows Mobile, Palm’s OS, and Symbian.

That’s kept the attacks on mobile phones to a minimum, Quin says, and the attacks that do occur tend to be little more than a nuisance to the victim. Still, he has started recommending his clients take more precautions in protecting against the attacks.

“If organizations have a large number of smartphones deployed around their business, and you have the licences, then you should probably be using it,” the analyst advises.

Many security vendors will now include a mobile security application license in their product suites sold at the enterprise level. But Quin doesn’t advise rushing out to buy extra licences if you don’t have them – the threat isn’t great enough to justify the expense at this point.

But as more handsets become Wi-Fi enabled, the exposure to potential attacks will also increase, he adds.

FortiNet does offer a product that provides real-time protection against malware on the Symbian OS and Windows Mobile phones. It is sold in an end point security package.

For users without an anti-malware client on their handsets, Nokia has some words of advice to keep your phone clean.

“Consumers can help protect their mobile device against harmful applications by being careful about accepting applications sent via Bluetooth or when they open SMS or MMS attachments,” the company says in a statement.

Hopefully that will keep your text messages flowing.

Share on LinkedIn Share with Google+
More Articles