History of Mobile Malware (part I)

History of Mobile Malware, Part 1 [London, UK] Given the growth in popularity of smartphones over the last decade, the rise of mobile malware seems inevitable. Malware always rises where there is a popular platform, a range of attack vectors and some means of monetisation, and mobile devices offer all three. Yet it wasn’t always so. If we date the emergence of the smartphone back to 2000, with the launch of the Ericsson R380 and the Nokia 9210, it took over three years for the first examples of mobile malware to arrive.

With this three-part series, we’ll look at how cell phones have increasingly become the target of malware authors. This first article looks at attacks on the Symbian platform.

In June 2004, security researchers were sent copies of the first mobile virus, Cabir, a worm that infected the Symbian 60 OS. Written by members of an international group of virus writers, 29A, it was a proof-of-concept virus written in C++ using Symbian and Nokia’s own SDK. Ingeniously, it used an attack vector common to nearly all Symbian smartphones, Bluetooth, appearing as a .SIS file installed in the phone’s apps directory. The virus itself was harmless, doing little more than displaying the message ‘Caribe’ on the phone’s display every time it was turned on. It wasn’t even released into the wild.

Unfortunately, it wasn’t long before less scrupulous hackers found Cabir, and began to engineer their own variations. By mid-2005 Cabir was the foundation for whole families of Symbian viruses, including Pbstealer, a Trojan that searched the phone’s address book then transmitted data obtained via Bluetooth to the first device in range.

Cabir might have been the first mobile virus, but it wasn’t alone for long. In August 2004 a Trojan was found in illicit versions of the Symbian mobile game, Mosquito. Each time the game was played the Trojan would send a premium SMS message to a certain number, making it the first mobile virus to take money from its victims.

By Autumn 2004, Cabir and Mosquito had been joined by Skuller, another Symbian Trojan. Skuller exploited a vulnerability in Symbian, replacing system icons with skull and crossbones alternatives, then delete application files. It was a simple vandal Trojan, distributed through websites and forums as a theme file offering new icons and new wallpapers. However, it was surprisingly successful, particularly when enhanced with the incorporation of code from Cabir to spread through Bluetooth.

Cabir, Mosquito and Skuller began a stream of viruses attacking the Symbian OS, replacing system applications, installing corrupt or malignant applications, or infecting user files. The viruses spread via malignant apps, Bluetooth and MMS multimedia messages. The latter vector allowed the malware to spread rapidly by replicating itself and sending copies to other phones listed in the owner’s address book, as in the case of the CommWarrior virus. This phase also saw the first examples of the cross-platform virus, with SymbOS Cardtrap not just deleting files and replacing system applications on the phone, but installing Windows malware on memory cards. Connect your phone, and you infected your PC.

Look out for the second part of our ‘History of Mobile Malware’ series, coming tomorrow.

image description

Extra Vigilance needed as Easter approaches

image description

History of Mobile Malware (part II)