March 20, 2018

Coming: Mobile Phone Viruses

Clive Thompson at Slate has a scary-sounding new piece about cellphone viruses. As phones get smart – as they start running general-purpose operating systems and having complex software interfaces – they will tend to develop the kinds of software bugs that viruses can exploit. And as phones become more capable, virus-infected phones will be able to do more harm.

What will the viruses do after they break in? Thompson predicts that they’ll make expensive calls to overseas pay-services, running up the victim’s phone bill and transferring money to the pay-service owners, who presumably will be in cahoots with the virus authors. That might happen, but I don’t think it’s the most likely scenario.

The best bet, I think, is that cellphone viruses will look like PC viruses. In the PC world, many viruses are written for kicks, with no specific intent to cause harm (though harm often results when the virus spreads out of control). I would expect to see such mostly-harmless viruses in the cellphone world; and indeed that is what we apparently see with the CommWarrior virus described in the article. Other PC viruses aim to spy on the user, or to install a bot on the computer so that it can be commandeered later to send spam or launch denial of service attacks. All of this is likely in the cellphone world.

Will cellphones be able to resist viruses more effectively than PCs do? Thompson suspects they will:

Phone executives like to say that it’s easy for them to contain worms because their networks are gated communities. Verizon and Sprint can install antivirus software on their servers to automatically delete infected multimedia messages before they reach their victims.

The mobile-phone industry could solve the viral problem by developing an open-source, Linux-style cellular operating system. But that’s about as likely as Motorola and Nokia announcing that all your cell phone calls are going to be free.

I’m not as hopeful. Phone execs like to think of their networks as gated communities; but in the smartphone world all of the action is on the smartphone devices, not in the networks themselves, and the providers have less control over smartphone software than they think. Their communities may be gated, but the gates will have well-known holes (that’s how viruses will get in), and there will be plenty of third-party application software coming in and out. A smart device is only useful if it is configurable, and configurability is the enemy of the sort of regimented configuration control that they are invoking. Third-party services and applications provide tremendous value to users, but as users switch to such services the network providers lose control over users’ data.

The open-source argument is pretty weak too. An open-source operating system may have fewer security flaws (and even that is subject to debate) but the claim that it will have no known flaws, or nearly none, isn’t credible.

The more useful smartphones get, the more they will adopt a software structure like that of PCs, with all of the benefits and problems that come with such a structure – including viruses.


  1. They think they can keep viruses away from your phone because they have a firewall somewhere?

    I wish. Sometimes all it takes is BlueTooth activated, and worms come marching in through the open door. No central server can protect you from your buggy phoneware!

    I hope there will be lots of Linux-phones in the near future, I might buy one of them. Security seems to work much better on open Unices than on closed-source systems, for some reason — maybe the “many eyes see many holes” thing holds here.

  2. “They think they can keep viruses away from your phone because they have a firewall somewhere?”

    If so, they’ve never administered a corporate LAN. The firewall between the LAN and the Internet is only one part of a well-rounded defense. If that’s all you rely on, you get to watch in horror as the LAN melts down after some idiot opens an unsolicited attachment in Outlook Express. Meanwhile one of your competitors pays off a low level sales drone or whatever to “plug this wee beastie into one of the fat phone jacks labeled ‘data’ that are all over the place”, while a crack team of industrial spies sits in the back of a van in your parking lot with a wifi receiver and a bunch of pcs. Little do you (or the duped employee) know that you’re now on the air, broadcasting commercial free 24/7. 🙂

  3. The real bad thing is that much more people have mobile phones then computers. Also in a few years there wont be any more dump phones, all phones will be able to run somekind of 3rd party software. Phones are more or less allways online (vulnerable to attacks) and since mobile phones normally don’t come with a flat rate the user will have to pay for each copy of that virus that spreds thru his phone.

    Software/OS fixes for phones are a pain because you normally have to go to a shop and let them do it. Because of this a virus will have a lot of unpatch victims, just like with desktop PCs just a litle worse.

    If something serious is set free many people will become very upset. Imagine a massive phone DDoS against *your phone number of choice here*

    I predict a slammer for one of the major phone OSes.

  4. Open-source is safer not because it has fewer holes, but because only those with the source can fix the holes. So closed source is vulnerable until the OS vendor fixes the hole, but open source is vulnerable until *someone*, *anyone*, fixes the hole.

    ‘All bugs are shallow to many eyes’ has a corollary: ‘All fixes are fast to many coders’.

  5. Open-source is also often safer because it comes from a culture in which security and robustness are somewhat valued, rather than making a ship date or maximizing sales. Of course, there’s plenty of buggy, insecure FOSS code out there as well, but mostly it’s not as popular.

    Re mobile phones and viruses, aren’t the cellular service providers trying to keep handsets from becoming too open and flexible anyway? The more flexible my handset is, the fewer features there are that can only be implemented by the CSP, and therefore the fewer features they can charge for. (Insert standard bit here about centralized vs. edge intelligence in networks, etc.)

  6. Two comments:

    1. The phone companies are more interested in getting that SMS/MMS stuff sent OUT and billed for, than in delaying it and scanning it. Delays mean disk storage which means money, and we know how they feel about spending money

    2. Don’t forget the trivial “viruses”: panic-causing text-only messages which can disrupt a business every bit as much as the malware (example: what if a message went out, targeted to IBM employees, that claimed the CEO was dead of a heart attack or something).