Mobile Java and Nokia phones

General info

In a result of its research investigation efforts, Security Explorations discovered multiple highly critical security vulnerabilities in mobile Java technology and Nokia Series 40 handsets.

This section of our website presents the most crucial information regarding the project that lead to this discovery:

  • Official press statement containing general information about the impact of the vulnerabilities.
  • Frequently Asked Questions about our discovery.

Project newsroom

Mobile Java and Nokia phones - Press Info
AUG 2008

Mobile Java and Nokia phones - Press Info

Security Explorations, a security research start-up company from Poland discovered two very serious security vulnerabilities (...)

Read more


How serious are the vulnerabilities you found?

They are very serious. We verified that attackers might exploit these vulnerabilities to install malware or virus into Nokia phones (and possibly the phones of other manufacturers) in a very similar way they install it into PC computers. We also verified that the phone can be silently controlled by attackers - the user might not be even aware that someone has hacked his / her phone. Attackers can also access or modify the phonebook of the phone, they can start a phone call to the number of their choice or they can send SMS or MMS messages to any other phone number. Finally, they can use the phone to snoop on user's activities (record audio or video, take camera snapshot, sniff commands send to the SIM card, etc.).

What antivirus software can I use to be protected?

Unfortunately, no antivirus software exists that can protect your Nokia Series 40 phone. By default, no other software can be installed on Nokia Series 40 devices than Flash or Java applications. These applications run in a limited security environemnt and cannot access phone resources in a way that would allow them to protect it from malware or viruses.

What does it mean that a Nokia phone can be attacked from the remote?

An attacker just needs to know your phone number in order to attack your Nokia phone. By sending proper sequence of messages to the target Nokia phone, attackers can deploy and run Java application of their choice into it. Deployed application can break security of the phone with the use of mobile Java flaws we discovered. From that moment, attackers can proceed with penetrating the phone and can for example install a backdoor application into it.

How can a malicious Java application get into my phone?

Users usually install Java applications on their own by downloading them from the Internet directly into the phone or by uploading them from a PC computer. There is also one other way that can be exploited by attackers in case of Nokia Series 40 devices. Attackers can simply force a target phone (by only knowing its number) to deploy and run Java application of their choice into it.

How many phones could be vulnerable?

Different sources provide different numbers. One source from Sun Microsystems claimed in a published article from 2006 that there was approximately 1.5 billion of Java enabled cell phones on the market at that time.

What are these Nokia Series 40 devices that you speak about?

Nokia Series 40 devices is simply the family of Nokia phones with more than 140 different device models (phones). According to Nokia, this is the world's most widely used mobile device platform. More information about this family of Nokia devices can be found at Nokia pages.