February 19th, 2009
New Symbian-based mobile worm circulating in the wild
F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!worm or “Sexy View”. The malware is affecting S60 3rd Edition series devices, and has a valid certificate signed by Symbian tricking the mobile device user into thinking it’s a legitimate application. In terms of propagation, “Sexy View” propagates by collecting all the phone numbers from the infected device, and then SMS-es itself to all of them including a link to a web site hosting a copy of it.
SymbOS/Yxes.A!worm is the second mobile malware detected in the wild for 2009, followed by last month’s discovery of Trojan-SMS.Python.Flocker by Kaspersky Labs. A trend, a fad, or opportunists experimenting for mobile malware’s prime time in 2009?
Using spam and phishing as analogies, both, spammers and phishers require huge databases of harvested email address in order to hit them directly. What used to be old-fashioned directory attacks where they were attempting to guess user names and associate them with email boxes, is today’s greatly matured underground market segment offering millions of segmented (on per country, city, industry, email provided basis) emails which cybecriminals easily integrate within their campaign management kits.
What’s particularly interesting about SymbOS/Yxes.A!worm is that it appears that the worm’s main objective is to harvest information from the infected devices such as phone numbers, IMEI, IMSI as well as the phone type. This data harvesting approach is pretty similar to that of email harvesting tools, and in the long term the harvested data will be monetized and resold to phone scammers whose activities are already driving the success of such site as WhoCallsme? and 800notes.
Moreover, Guillaume Lovet, a senior manager of Fortinet’s Threat Research Team is also speculating on the potential for a mobile botnet due to the ways in which Yxes.A!worm spreads: “As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We’re really at the edge of a mobile botnet here.”
With carriers, manufacturers, and service providers clearly aware of the emerging mobile malware threat, thankfully, they seem to be thinking in the right direction - according to McAfee’s 2009’s Mobile Security Report, when asked “Who Should Bear the Cost of Securing Mobile Devices?” 44% of the mobile device manufacturers forwarded the responsibility to themselves instead of their clients.
In times when your mobile number and physical location for a successful scam targeting is prone to become a valuable good in the underground economy, your vigilance remains a cost-effective solution.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
