Breach, Mobile

Fortinet: Symbian OS worm spreading in mobile networks

January 23, 2008

Fortinet researchers have discovered a new, socially engineered Symbian OS worm they say is actively spreading on mobile networks as users unwittingly send the malware to their unit's entire address book.

 

The FortiGuard Global Security research team confirmed this week that the worm, dubbed SymbOS/Beselo.A!worm – or simply, Beselo – is able to run on Symbian S60-enabled Nokia 6600, 6630, 6680, 7610, N70 and N72 phones.

 

Fortinet security research engineer Derek Manky told SCMagazineUS.com that the worm most likely is able to infect other brands of smartphones that run on the Symbian platform. Worldwide, more than 100 million mobile devices are Symbian OS-enabled.

 

After an installation phase, the worm harvests phone numbers located in the contact list of the infected devices and targets them with messages carrying a SIS-packed (Symbian Installation Source) version in what seems like a multimedia attachment, researchers said.

 

The SIS file does not bear a .sis file extension; instead, it is disguised as a multimedia file with a provocative title, such as Beauty.jpg, Sex.mp3 or Love.rm. When the recipient opens the attachment, the Beselo malware is installed on their smartphone.

 

According to Manky, the Symbian platform is vulnerable to this socially engineered exploit because it runs files based on their content, not their extensions – unlike Windows, which will run a file based on the extension (for example, a JPG will only be opened as a JPG).

 

In addition to harvesting the numbers stored in the phone's address book, the Beselo worm is sending itself to generated numbers contained in the malware, Fortinet said.

 

According to Manky, all of the generated numbers discovered thus far are located in China and belong to the same mobile phone operator, and some have been verified to belong to actual customers, rather than being premium service numbers. Manky told SCMagazineUS.com it is possible that these generated numbers were the original targets of the Beselo worm, and then were simply left in the program by its creators after the virus began to spread beyond China. 

 

Users may know they have been infected with the Beselo worm if they see unrecognized sent messages in their MMS-protocol configured outboxes (the device itself needs to be configured to save such messages), Fortinet said.

 

Fortinet said the prevalence of the Beselo mobile malware in the wild is still low, but noted that its ability to deceive mobile users into infecting their contact list makes it a significant threat.

prestitial ad