Anyone in information security will tell you that no operating system is completely invulnerable from security attacks and viruses, only that some operating systems are more secure than others. For the last 5 years, applications running off of the J2ME on mobile devices have done so without any problems until now.
First introduced to the Java community by Sun Microsystems in June 1999, the Java 2 Micro Edition (J2ME) was part of a broad initiative to better meet the diverse needs of Java developers. Designed for machines with limited hardware resources such as PDA’s (Personal Data Assistants) and cell phones, it can run on machines with as little as 128KB of RAM and with processors a lot less powerful than those used on typical desktop and server machines. At its core are a set of profiles which are defined for particular devices: cell phones, PDAs, microwave ovens, etc. Each profile consists of a minimum set of class libraries which are required for the particular type of device and a specification of a Java virtual machine required to support the device.
Today, with the emergence of more J2ME compatible handsets and combined PDA/phone devices, the importance of strong security becomes much greater. The possibility of spreading Trojans to millions of mobile devices is becoming more of a reality as mobile devices are becoming less 'dumb'. New 'smart' devices are potentially more vulnerable than current 'dumb' GSM handsets because as they are programmable devices. Therefore, these devices will be as vulnerable to Trojans as any PC but with the added complexity of patching. As security holes are discovered, there’s no telling how long it will take before they are resolved, all while hackers potentially subvert or render large numbers of handsets useless. Because many next generation mobile phones are constantly connected to the network a mobile worm could spread very quickly and cause considerable network traffic or disruption.
Handset manufacturers are aware of these risks and are deeply concerned about Trojans becoming resident on mobile devices with the move towards powerful operating systems. The billions of users today of smart mobile devices will be the perfect target malicious virus & worm writers. Programs making prank calls, erasing mobile data, or even interfering with m-commerce payments could be only a small sample of what’s to come.
On February 27th, the first virus to attack mobile phones running J2ME was discovered in Russia. Named 'Redbrowser.A', the J2ME-based Java Midlet pretends to be a WAP (Wireless Application Protocol) browser that offers free WAP browsing. However, once a phone is infected, the Trojan sends SMS's (Short Message Service), also known as text messages to premium rate numbers, at a cost of roughly $5 to $6 a message, overwhelming the victim with exorbitant messaging charges.
Redbrowser fools its victims into giving the Trojan permission to use Java SMS capabilities in the phone that normally require permission before sending SMS messages by offering to send SMS messages for free. The message sending function in the Trojan is essentially an infinite loop for sending SMS's, so unless the Trojan is disabled, it will send an infinite number of SMS messages, which each message being charged to the victim's account at a premium rate of $5 to $6. Reports from Antivirus specialists at F-Secure, a Finnish anti-virus vendor indicate that the Redbrowser.A Trojan can be downloaded to the victims handset through the Internet from a WAP site, through a Bluetooth enabled connection to another mobile device or a through a personal computer.
As bad as this sounds, most of us do not need to worry about this Trojan since the threat is still very limited since it does not spread by itself. But the next time a Trojan attacks J2ME enabled mobile devices, we may not be so lucky. This incident is a clear indicator of what new threats to information security will emerge in the not too distant future. Who ever thought we would need anti-virus software for our mobile phones...
