New Symbian mobile malware in the wild
The worm is called SymbOS/Yxes.A!worm, also known as "Sexy View.” Network security firm Fortinet's FortiGuard Global Security Research Team issued an advisory Wednesday about the worm due to an uptick in recent infections.
The malware is spreading on smartphones in China that run Nokia S60 3rd Edition, a company spokesperson told SCMagazineUS.com on Thursday. The threat has not been reported elsewhere.
Up until now, most insidious mobile malware has propagated through attachments in multimedia messaging service (MMS) messages, which are similar to email messages and allow attachments, Derek Manky, cybersecurity and threat researcher at FortiGuard Global Security Team told SCMagazineUS.com Thursday. But this new worm is more effective and spreads in a way that has never been seen in mobile malware propagation before, relying on short message service (SMS), or text, messages.
It propagates by repeatedly sending SMS messages containing a malicious URL to the phone numbers stored in an infected device, Manky said. If internet browsing is enabled on the device, when a user clicks on the message, they are directed to a web server to download a copy of the worm.
Since the malicious messages are sent to all the contacts in an infected user's phone, the worm conceivably could spread to users in other countries, Manky said.
The worm seemingly bears a valid certificate signed by Symbian and installs as a valid application on mobile devices running on the S60 3rd Edition operating system, he said. As of now, the worm is only present on Nokia 3250 handsets but there is no reason it can't affect other devices or carriers.
This worm relies on social engineering to lend credibility, Manky said. Since it looks like it is coming from someone the recipient knows, odds are a user will click on the link and become infected.
“If this is someone you're acquainted with, the chances are that you will drop your guard,” Manky said.
Once a user is infected, the worm aims to gather information on the victim, including the phone's serial and subscription number, and posts this information to a remote server likely controlled by cybercriminals, he said.
The criminals may be using information the worm is retrieving to clone phones by inputting the serial and subscription numbers into on another device, Paul Royal, principal researcher at on-demand web security provider Purewire, told SCMagazineUS.com.
The attackers also seem able to customize the worm to create a more vicious payload, Royal said. Copies of the worm are hosted on malicious servers controlled by cybercriminals, so it easily can be updated at any time, adding or removing functionality such as keyloggers.
The threat also may be a test-run for crooks hoping to truly monetize mobile malware in the future, Manky said. They are testing the waters with the goal of building an infrastructure that eventually may lead to a mobile botnet, Manky said.
“We haven't yet seen a mobile botnet, but this is a very large step towards that,” Manky said. “It's inevitable, just a matter or time.”
In October, the Georgia Tech Information Security Center (GTISC) released a report forecasting a mobile botnet is on the horizon. Researchers said they expected to see more mobile malware as a way for cybercriminals to expand their botnets, or networks of compromised computers.
If a user is infected with this worm, certain applications on the phone will not function or run as they should, Manky said.
He recommended mobile users -- especially enterprise users -- have a security solution in place to protect against these types of threats. Also, users should be cautious when opening attachments and following URLs received through either SMS or MMS messages, even from trusted sources.