Lucian Tomuta's Forum Nokia Blog - Can you write an antivirus?

That's pointless

truf

Looks, i can post comments, becouse captcha is always wrong.

Interesting, wat you want to hear? Magic wand does't exists. Mobile malware problem is not different from a PC security problems, and even for PC there are no "simple" solution. Nokia alrady make "curse of silence" protection tool. Does Nokia going to provide a separate tools for every malware application? If no, then you should write antivirus with db as tote_b5 says, if you really need a solution. And keep its up to date. Thats simple.

Everything can be cracked and bypassed if attacker see a big piece of cheese in the end of that maze. Actually i face once with guys who ask me to make a trojan like that (of cource, i reject their proposal) - finally, after all tricks, all what they really need is to send sms and make calls to predefined set of numbers. Thats only way to gain profit. Nobodie want just to harm your device. And i'm sure that malware connect to internet host just to update a list of those 'payed' SMS and phonenumbers. Attacker doesn't interested in anything else: nor your logs, nor your photo's, nor a CPU for DDOS. At least for now. I'm sure the only rational way to stop malware on mobile phones is to protect not a phones itself, but payed services which they provide. I wonder how easely you can lost your money - just send sms and network provider happy to decrease your account. No any confirmations, no any captcha, no any security locks.. Thats freedom to become looted. I have to enter captcha even to post that free comment, but you never find any protection on a short payed sms numbers. My opinion, what network providers have to increase security of those services, becouse they make me a desired target of attackers even if i dont know about those services, never use them and don't give them any agreement to provide those services for me. But I wonder if network providers will do any confirmation captcha mechanism without judgement. And I'm sure what malware problem never be solved becouse nobodie really interested in that - finally end user will pay for all, to hackers for unconcern or to security companies for protection, or to both. And even device monufacturers does't really interested in security of their devices - they even does't want to prevent their stealing.

I'm hapy with Mark's solution ...

ltomuta

... but I've thrown in the remarks about public APIs and capabilities only to make the problem appear more complex :) Any "creative" solution in that context could have been fun to read, as fun as some of the comments one can read in some of the blogs that cover the subject.

As for real and complete solutions, whatever the APIs and capabilities they need, I live that in the hands of the security companies, it's their business to make them work.

The requirements are so vague

tote_b5

Lucian,

Are you interested in such a solution that is similar to what existing antivirus solutions do? I.e. keep track of a central database with some metadata (e.g. UID, vendor name, etc.) for each virus and whenever a new application is being installed we query that database to see if we should worry. Because during *installation* we can't really do much more. Even more, as long as a virus is not in the database *yet* we will not recognize it as an undesirable component for the system.

Or perhaps it's not only *installation* that you think of, but tracking what 3rd-party applications do during their lifetime? When they do something that matches a "suspicious" pattern (such as getting data from Contacts and sending SMS to all/sending all data to a remote server, etc.) we ask the user for confirmation if she is really aware that one of the 3rd-party applications she installed is doing something suspicious and if it's really allowed. Getting an affirmative answer would indicate that we should no more worry on that application in the future - OTOH a "Yeah, it's really strange" answer could trigger us to remove that component right away before doing too much damage. And we could report that to our central database, too (wherever it would be).That is, it would be a self-learning "firewall" in the sense that it'd actively monitor the device.

Briefly: more info needed. :)

Sorry!

Sorcery-ltd

Without the SID, or some pretty powerful capabilities I don't think there are many interesting alternatives. It'd still be good to know if others have some more "creative" solutions though.

Oh Mark ...

ltomuta

... I was hoping for some more "creative" solutions first :) Obviously your solution is *the* trivial solution and it is also effective against this particular threat since I don't expect a new signed release of it soon.

The trivial solution

Sorcery-ltd

1) Take any example application from the Forum Nokia that requires no capabilities (to get least capabilities requirement)
2) Change the name of the executable written to the device (only need change in the package file) to EConServer.exe
3) Build the project, self-sign and install the SIS file

Installer will now not allow this virus to install because of name conflict in \sys\bin.

That should do the trick. Not really an "anti-virus" though and very easy for the attackers to work around.

Mark