New Symbian-based mobile worm circulating in the wild

New Symbian-based mobile worm circulating in the wild

Summary: F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!

TOPICS: Security

F-Secure and Fortinet are investigating a newly discovered mobile malware identified as SymbOS/Yxes.A!worm or "Sexy View". The malware is affecting S60 3rd Edition series devices, and has a valid certificate signed by Symbian tricking the mobile device user into thinking it's a legitimate application. In terms of propagation, "Sexy View" propagates by collecting all the phone numbers from the infected device, and then SMS-es itself to all of them including a link to a web site hosting a copy of it.

SymbOS/Yxes.A!worm is the second mobile malware detected in the wild for 2009, followed by last month's discovery of Trojan-SMS.Python.Flocker by Kaspersky Labs. A trend, a fad, or opportunists experimenting for mobile malware's prime time in 2009?

Using spam and phishing as analogies, both, spammers and phishers require huge databases of harvested email address in order to hit them directly. What used to be old-fashioned directory attacks where they were attempting to guess user names and associate them with email boxes, is today's greatly matured underground market segment offering millions of segmented (on per country, city, industry, email provided basis) emails which cybecriminals easily integrate within their campaign management kits.

What's particularly interesting about SymbOS/Yxes.A!worm is that it appears that the worm's main objective is to harvest information from the infected devices such as phone numbers, IMEI, IMSI as well as the phone type. This data harvesting approach is pretty similar to that of email harvesting tools, and in the long term the harvested data will be monetized and resold to phone scammers whose activities are already driving the success of such site as WhoCallsme? and 800notes.

Moreover, Guillaume Lovet, a senior manager of Fortinet's Threat Research Team is also speculating on the potential for a mobile botnet due to the ways in which Yxes.A!worm spreads: "As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We're really at the edge of a mobile botnet here."

With carriers, manufacturers, and service providers clearly aware of the emerging mobile malware threat, thankfully, they seem to be thinking in the right direction - according to McAfee's 2009's Mobile Security Report, when asked "Who Should Bear the Cost of Securing Mobile Devices?" 44% of the mobile device manufacturers forwarded the responsibility to themselves instead of their clients.

In times when your mobile number and physical location for a successful scam targeting is prone to become a valuable good in the underground economy, your vigilance remains a cost-effective solution.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The Certificate is the core problem

    The malware authors arranged to have a valid certificate for the worm. How did they achivied that?

    Is it a failed design on certificates for apps on Symbian OS or the process of issuing an app's certificate failed?.

    Until knowing what happened, Symbian model of security is under suspect. Isn't it?
    • Agreed

      Could it be a Debian signed certificate?
      Remember the debacle with Debian having reduced
      entropy in their key generating algorithm. As I
      recall it, it would result certificates which
      were easily broken using brute force.
      • Re: New Symbian-based mobile worm circulating in the wild


        can we have a cert with the AllFiles capability?
  • RE: New Symbian-based mobile worm circulating in the wild

    Well done! Thank you very much for professional templates and community edition
    <a href="">seslisohbet</a> <a href="">seslichat</a>