Results 1 to 7 of 7

Thread: semi trojans for cellphones?

  1. #1

    semi trojans for cellphones?

    hi geeks
    did anyone here hear of a trojan for the cell phone???
    but it's without sending a server as for normal trojans
    i just heard that a friend of mine has got a proggie for cellphones(like nokia 6600) so he can gain access to a close mobile
    navigate his files,delete or add whatever he wants
    my friend said it's true and in a couple of days he will show me the program
    has anybody heard of it??
    if u have links that cover the topic post it
    thanx in advance

  2. #2

  3. #3
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    Could probably be done using java enabled phones, (ive got a telnet program on my phone!). I reackon bluetooth is the best bet to infect although im not sure whether java scripts on mobiles can be set to listen or always run. Im not sure whether the user has to activate them automatically.

    I said bluetooth because of its obvious security failings but im sure something could be using the standard GSM methods, although its gonna cost both parties money. People with malicious intent probably wont care about the victim losing money.

    i2c

  4. #4
    Junior Member
    Join Date
    Jul 2003
    Posts
    5
    Originally posted here by i2c
    Could probably be done using java enabled phones
    Would a Java program on a mobile have permission to access files like that?
    Do mobiles run stand-alone Java applications or just applets?

    I am only asking because I know Java was designed with security in mind.

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    There has been a couple of threads on the security weeknesses of bluetooth and i would imagine that it would be possible to make a trojan like program that could be installed on a bluetooth enabled fone. That could then activate bluetooth on the target fone and talk back to a client.

    Mobiles continuosly talk back to their networks when switched on, part of this process must be some sort if identification process. Mobile fone id, number, location, etc. So with the right sort of equipment it is possible to intercept a mobile fones output, listen to conversations etc. Capture gprs packets. Maybe ever spoof incoming calls but as to how a trojan could be used i have no idea.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    mattyflynn, your rite. They use applets so probably be very difficult to access any vital files. I think most use applets, Theres something called midlets (spelling?) on mine. Havent done any research into them

    i2c

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    There have been many discussions on cell phones and possible attacks here on AO. Let me see if I can shed some light and sort of present the current state of cell phone affairs.

    Cell phones use Java to enable a user to send requests back to the gateway. They are very scaled down version compared to a PC. In fact one can develop their own application using platforms such as those offered by Nextel communications. Your phone could even, get this, have a public IP address. Sure Nextel isn't the typical configuration but, this is about capabilities. In normal usage configuration the java applet does not run in the background, you have to call it up or use the application.

    Getting to a java application through the cellular network is like getting through to a client machine on a network enforced with firewalls, IDS, honey pots and scrubbers that delete unauthorized accounts when found. Then the basic network used for the client to talk is encrypted, so in the analogy you would have to also break the strong SSH like encryption.

    So as with past discussions, it would be easier to access a cell phone outside the main network, such as blue tooth (as mentioned) or IrDA etc. I have even mentioned the concept of a fake site used to trick a phone into given out keys etc. But this is very limited and serves no useful purpose outside of pure fun or curiosity to prove a concept. To make it a zombie or something useful to a black hat would again require defeating the main cell net going back out.

    It's not secret that programs are available to read cell phone data right out of the phone into PC based software. It is fact a large trade industry. The cell phone is a basic database that stores information such as my girlfriend’s phone number and picture. I do have a pin number to ticket master but without my IMEI and GSM codes that authenticate them at the gateway (SIM code) you won't get far. You can load these readers anywhere, a palm a laptop, any blue tooth enabled device capable of storing information etc.. They aren't limited to any manufacturer and they come in handy when wanting to add large amounts of data to the phone. In all cases I know of the transmission medium, Blue Tooth or IrDA has to be enabled on the phone. These things suck massive power and are turned off automatically when not in use. Just like a laptop. Some laps can even auto-activate when near a device!

    That is sort of the current state. Most definitions you find on GSM are outdated because companies have bastardized the standard and make proprietary modifications to its makeup, especially Nextel. As new technologies are developed such as 3G etc, and phones are given wi-fi capabilities, then the danger of infections become more real. To this dat0, every massive cell phone hysteria, I have followed up on has been a hoax. Someone is more likely to get a number off your (insert technology here) enabled laptop or PC than a cell phone. About 99.9999 times more likely.

    There are gateway services that communicate through the cell phone to add dates or reminders etc. But these are gateways that operate inside the cellular network with an interface a human can access outside. In this case, breaking the gateway is necessary. You could mine the users password or optain some exploit to enable access through the web service, but you aren't breaking the phone or accessing areas that can run applications. It would be like breaking someone's hotmail account. Big woop. Even if you do figure out that process, the app will be blocked as an unathroized agent through severel layers of security.

    Hope this helps a little. It's very simplified in it's explaination of technology so don't point out the inconsistancy with me too much. And again, this doesn't account for new technologys that we may see in 10 years. Changing infrastructure is expensive and slow.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •