In a result of its research investigation efforts, Security Explorations discovered multiple highly critical security vulnerabilities in mobile Java technology and Nokia Series 40 handsets.
This section of our website presents the most crucial information regarding the project that lead to this discovery:
They are very serious. We verified that attackers might exploit these vulnerabilities to install malware or virus into Nokia phones (and possibly the phones of other manufacturers) in a very similar way they install it into PC computers. We also verified that the phone can be silently controlled by attackers - the user might not be even aware that someone has hacked his / her phone. Attackers can also access or modify the phonebook of the phone, they can start a phone call to the number of their choice or they can send SMS or MMS messages to any other phone number. Finally, they can use the phone to snoop on user's activities (record audio or video, take camera snapshot, sniff commands send to the SIM card, etc.).
Unfortunately, no antivirus software exists that can protect your Nokia Series 40 phone. By default, no other software can be installed on Nokia Series 40 devices than Flash or Java applications. These applications run in a limited security environemnt and cannot access phone resources in a way that would allow them to protect it from malware or viruses.
An attacker just needs to know your phone number in order to attack your Nokia phone. By sending proper sequence of messages to the target Nokia phone, attackers can deploy and run Java application of their choice into it. Deployed application can break security of the phone with the use of mobile Java flaws we discovered. From that moment, attackers can proceed with penetrating the phone and can for example install a backdoor application into it.
Users usually install Java applications on their own by downloading them from the Internet directly into the phone or by uploading them from a PC computer. There is also one other way that can be exploited by attackers in case of Nokia Series 40 devices. Attackers can simply force a target phone (by only knowing its number) to deploy and run Java application of their choice into it.
Different sources provide different numbers. One source from Sun Microsystems claimed in a published article from 2006 that there was approximately 1.5 billion of Java enabled cell phones on the market at that time.