In the AV industry, one of the golden rules is to make sure that, during analysis, we do not in any way help the malware authors and/or propagate their offspring.

This requires special care in the case of malware for mobile phones, because, on the one hand, many of them won’t run if the phone is offline, but on the other hand, if the phone is online, the malware is free to call or send SMS messages in the wild without any way to block those actions. So, we thought building our own local GSM operator, using a USRP coupled with a Linux box running OpenBTS and Asterisk.

USRP connected to OpenBTS in our lab

Actually, this is what I presented at Virus Bulletin Conference [paper] [slides], in Barcelona, a few weeks ago. If you missed it, I also showed a video comparing how much we see when analyzing a Symbian sample of Zitmo on an offline phone and the same sample when the phone is registered to our OpenBTS-based jail. Without OpenBTS, there are quite a few details we could have missed, such as the use of UCS2 encoding for SMS messages…

– the Crypto Girl

Some time ago, a security researcher, Alex Levinson, found out the iPhone was keeping a SQLite database of the iPhone’s location (wifi-based location, cell-based or GPS) and a few other information.

The file, located in /private/var/root/Library/Caches/locationd/consolidated.db, is easily accessible on jailbroken phones (ssh or any file transfer tool) and readable by any SQLite3 tool.

This issue has recently re-surfaced as two researchers, Pete Warden and Alasdair Allan, wrote a MacOS tool to generate maps from the locations recorded in that database, and are presenting this at Where 2.0 in San Francisco today.

If you don’t have a Mac, then there is an online tool here (in French) or you can use Firefox4 SQLiteManager plugin + Google Fusion to do the trick (which is actually the solution I used for the maps below).

I would also encourage you read Mikko Hypponen’s post. It offers an interesting explanation as to why Apple designed such a database. In short, Hypponen’s idea is that it reduces the costs of renting an external location database.

The few things I would like to add to the story are:

• the consolidated.db is a ‘standard’ SQLite3 database, so you can query it like any SQLite database, there is no need for sophisticated tools (but they are cool). Data is directly usable:

  sqlite> .dump CellLocation
  PRAGMA foreign_keys=OFF;
  BEGIN TRANSACTION;
  CREATE TABLE CellLocation (MCC INTEGER, MNC INTEGER,
  LAC INTEGER, CI INTEGER, Timestamp FLOAT,
  Latitude FLOAT, Longitude FLOAT, HorizontalAccuracy FLOAT,
  Altitude FLOAT, VerticalAccuracy FLOAT, Speed FLOAT, Course FLOAT,
  Confidence INTEGER, PRIMARY KEY (MCC, MNC, LAC, CI));
  INSERT INTO "CellLocation" VALUES(208,10,49802,21036492,314034125.866114,
  43.60604608,7.06016272,1211.0,0.0,-1.0,-1.0,-1.0,70);
  ...

• The WifiLocation table tries to make up your location based on the wifi access points your iPhone sees, and for which Apple knows the location. If your iPhone sees a wifi access point known to be located by the Eiffel Tower, well, you probably are located close to the Eiffel Tower. This is done without using GPS.
• The CellLocation table does basically the same, but based on the GSM access points your phone sees.

  Now, in my case, I noticed neither table mentioned I had gone to Poland with the iPhone. Why ? Well, obviously, when you restore an old image of your phone, you overwrite the database :) By the way, the iPhone also made a poor estimation of my altitude and thinks I work at sea level (which is not the case).

• Comparing the cell location with the wifi location (see maps below) may release interesting information. First of all, it shows that Apple does successfully associate our workplace wifi with its physical location (I believe the several locations in Sophia Antipolis – where we are located – are just various approximations). It also shows that our lab iPhone (well, the backup I restored) only accessed wifi from our office , that we did a trip to Toulon, but that we did not use wifi there.
  

  CellLocation

  WifiLocation

• On a security point of view, it should be noted [thanks Guillaume for raising the point] that consolidated.db’s integrity is not guaranteed at all. It is easy to modify it to say I was in Greenland last month. Or I could hack into someone’s else iPhone and alter it so as to show that this person was on a crime scene when the crime happened. Thus, this should be handled carefully by forensics experts.
• The ‘untrackerd‘ application cleans the database regularly.
• Finally, you might have noted the iPhone stores the MCC (Mobile Country Code) and MNC (Mobile Network Code) of the SIM. It is interesting to note it did notice I sometimes use a fake SIM (208/30). This is when I use a local OpenBTS replication jail I will talk about at VB 2011 – patience :) In that case, it is unable to locate my position as it is not aware of this fake operator (as it is only valid within the walls of our lab) :)

  INSERT INTO "CellLocation" VALUES(208,30,1000,10,314034365.532726,
  0.0,0.0,-1.0,0.0,-1.0,-1.0,-1.0,0);

Is Symbian still the leader for smartphone operating systems or not? How far have Android and iPhones penetrated the market? Who’s the leader for smartphone OS: Symbian? BlackBerry? Android? iPhone?
A quick search on Internet provides quite opposite results, and I decided to find out why.

There is no official definition of what a smartphone is compared to a feature phone. Steve Litchfield already mentioned the fact in an interesting article and lists several definitions:

• a phone that can be extended with hundreds of add-on applications
• a phone with a proper OS
• a phone with more advanced abilities than a feature phone
• a phone with a keyboard
• a phone with a big touchscreen
• a phone that is always connected
• etc…

By the way, note all those definitions are vague: what is a ‘proper’ OS? what size must the touchscreen be? etc.

Companies running statistics often use their own definitions. For example,  AdMob “considers a smartphone to run an identifiable Operating System, a feature phone to be mobile phone that does not fit into the smartphone category, and a mobile Internet device to be a handheld device that connects to the mobile Internet but is not a phone” .  Nielsen Wire seems to have several definitions: “cellphones with app-based, web-enabled operating systems” or “run full operating systems” or “allow users to access the web and email as well as run thousands of apps and share text and picture messages“. I wish I could find a clear list of smartphones vs feature phones.

Geographic distribution of smartphone OS is uneven, so what makes an accurate title in one country may be absolutely wrong in another. For example, Symbian accounts for only 2% of smartphones in the US in Q2 2010 (source: Nielsen Wire), but 52% of subscribers in Germany in July 2010 (source: ComScore).
In addition, geography is full of surprises: in November 2010, Gfk’s reports lead to news titles such as ‘Android overtakes Symbian in Asia’, but a close look to the report shows this so-called Asia does not include China, nor India, nor Japan ?!

Studies take their figures from different sources: market sales, mobile subscriptions, mail / email surveys, website hits, ads etc. Actually, all those sources make sense, but caution is required because they taint results. For example, AdMob measure the number of ads mobile phone request and/or click on. Fine, why not. But I have seen several iPhone applications with the AdMob footer banner, but far less on Symbian. So, if this is true, there will obviously be more hits for iPhones than Symbian on AdMob servers. Another example: market sales are a good indication for the favorite OS, but how does this relate to mobile phones people actually own? Statistics of Nielsen Wire show Android ranks first for the US Q3 2010 sales (32%) but only third (19%) for owners during the same period. But are sales to retailers taken int account? do old-timers use their phones as much as new buyers or is their phone stored in a cupboard? are new phones all immediately activated?

Reality is always complicated.

– the Crypto Girl

On this episode of Network World’s Security Landscape, Derek Manky from Fortinet and Keith Shaw discuss the latest security threats seen worldwide. This includes the rise of do-it-yourself crimeware botnet kits, as well as the possibility of another iPhone jailbreak vulnerability on Oct. 10, 2010.

Last week, a lady from the sales department dropped in to see me for some help with her iPhone. She was worried because she had “suddenly” lost all of her contacts, music and emails. She had turned to a neighbor of hers, an “expert” who had told her she had “a Trojan on her iPhone”.

Whaow. A Trojan on an iPhone: that was definitely very interesting, as I know of none yet. I know a worm (Eeki) and a couple of spyware (Trapsms, MobileSpy) or other questionable software, but no real Trojan.

But, I’m sure you’ve guessed I am being slightly sarcastic and, of course, there was no Trojan at all on her iPhone (which is, altogether, good news anyway). Indeed, it turned out that she had had problems syncing with two different computers and had accidentally erased all her data. Now, I do sympathize because, personally, I have so many difficulties understanding how to use iTunes myself…

Reciprocally, I recall a while ago I scanned my dad’s USB key, although he told me it was certainly virus free because he was “very cautious”. That time, I was right to be suspicious, I had hardly started scanning it that the AV software started blinking in excitement, having found three different samples…

My point here is that end users obviously have difficulties identifying whether they are infected or not: the lady told me her iPhone was infected though it was not, and my dad told me he wasn’t although he was…

If you are in the same case, I would like to help you out with a very simple statement:

if you notice any damage (hard/ soft/) on your phone (or computer), it is unlikely to be infected

(but of course, there might be a hardware or a software failure – which is different).

On the other hand, if you start noticing problems on your bank account, then, be alarmed

(check with your kids or spouse first ;)).

Of course, this is not a 100% guarantee; a few mobile malware do actually cause malfunction, but it’s a general idea to keep in mind: nowadays, malware authors try to make money (or silently grab private data they re-use later), not to misconfigure your phone. Why would they? This would only cause you to notice it’s infected and possibly perform a hardware reset, thereby depriving the malware authors or cybercriminals from a source of revenue.

The graph below shows the number of mobile malware families per threat category. Note there hasn’t been any new annoyware (i.e malware whose main goal is to annoy/cause malfunction) created since 2008. New mobile malware try to make money, or target your privacy, much like desktop computer malware.

– the Crypto Girl