Malware writers get creative to target iPhone

Technological convergence came full circle with the release of the iPhone, Apple's newest wonder gadget. Arguably the most anticipated product so far for 2007, the iPhone is a multimedia & Internet enabled mobile phone that brings Apple into the mobile telecommunications market. While Apple plans to corner a 1% share in the global mobile phone market (roughly 10 million units) in its first year of availability, several analysis have forecasted even greater expectations given the iPod's amazing success.

With all the hype surrounding the iPhone, security researchers are waiting to determine whether it is secure enough to do more than just communicate & entertain. The platforms on which these mobile phones are running (such as Linux, Symbian, Palm & Windows Mobile) provide software development kits (SDKs) to 3rd-party vendors so that they may create compatible applications. Hackers have easy access to these platform blueprints, enabling them to find vulnerabilities in the system to inject malware. Some malware creators leveraged the type early without even creating malware for the device itself. On June 30, 2007, researchers reported the discovery of a pop-up ad that disguises as a venue that sells iPhone.

Trigged when visiting Google.com.my or Yahoo.com.my, the Trojan generated a pop-up ad that referred interested iPhone buyers to a phony Web site. However, the malware authors took the money from confirmed purchases & the buyers received nothing in return. A few months later, SDA Asia reported an e-mail spam version of this malware. The malware tried to improve its chances of successful installation by exploiting over 10 ActiveX vulnerabilities to install its malicious payload. Other features include use of XOR encryption & multiple fake Web sites to thwart detection. Apple developed the iPhone without releasing a software development kit (SDK), meaning developers & hackers alike will not find it easy to develop applications or malware for the iPhone.

However, days after its launch, Errata Security reported that one of the applications in the iPhone contained one of the vulnerabilities found in the beta version of Apple's Safari 3 browser. This vulnerability, when successfully exploited, may allow a remote user to assume control of Safari 3 to execute code of choice. Safari is the 3rd most popular Web browser with almost 5% of market share as of May 2007 (according to Net Applications.com). Hours after the release of the Safari 3 Beta for Mac & Windows on June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL (uniform resource locator) protocol handler in the Windows version.

Another researcher, Errata Security found 6 other vulnerabilities in the Windows version - 4 of which could allow denial of service (DoS) attacks while the other 2 could allow remote code execution on the affected system. The bugs found on the Windows version of Safari may affect the iPhone as loopholes in one version can easily be located on another. Furthermore, the iPhones runs on Mac OS X, which has several issues of its own & it is likely that these will be encountered in the iPhone. These vulnerabilities may offset Apple's closed platform strategy, as they provide hackers with material to explore.

The Safari 3 & iPhone vulnerabilities combined with the malware events seem to tell the world that Apple products are popular enough to serve as prime targets for lucrative exploits & bugs. It is wise to expect additional attacks in the future as the iPhone rolls out & availability & popularity increase.