J2ME Virus?

java.gifThe news was hot very recently with the discovery of the first J2ME virus. As usual, the media, fed by anti-virus software vendors,  tended to get it all wrong. For example, IT Week and The Register said…

"Security software house Kaspersky is warning of a new mobile virus that does not just target smartphones but any mobile capable of running Java (J2ME) applications."

IT week even went as far to title the article "All Java phones at risk from new mobile virus".

The facts of the matter are…

  • The application doesn’t work on all phones due to use of restricted J2ME APIs
  • The user has to knowingly install the application
  • The premium SMS numbers used only worked in Russia
  • It’s relatively easy to track the premium SMS numbers used back to a SMS provider to prosecute the program writer and/or cancel the service
  • Removing the application is as simple as uninstalling it

This really isn’t a virus. It doesn’t install without the user knowing. It doesn’t self-propagate. It doesn’t do any damage to data on the phone. It doesn’t defraud – without incriminating the writer. In fact, it’s not possible to do any of these things with J2ME without, in various ways, providing a trace back to the original author.

Incidents like this generate incorrect mistrust of the mobile developer community. This mistrust causes the marketing types in the large network operators to declare programmable phones (be they Symbian, Windows Mobile… and now possibly even J2ME) as unsafe. Unsafe phones mean nightmare customer support problems. Network operator requirements, in turn, create new requirements on Sun, Symbian and Microsoft for complex code signing mechanisms and (software) locked phones.  As Steve Litchfield says of Symbian viruses, it’s mobile virus madness.