Spreading Worm Hits Nokia Handsets
- 23 January, 2008 11:50
Security vendor Fortinet has uncovered a malicious SymbianOS Worm that is actively spreading on mobile phone networks.
Fortinet's threat response team warned on Monday that the worm, identified as SymbOS/Beselo.A!worm, is able to run on several Symbian S60 enabled devices. These include handsets such as Nokia 6600, 6630, 6680, 7610, N70 and N72 handsets.
The malware is disguised as a multimedia file (MMS) with an evocative name: either Beauty.jpg, Sex.mp3 or Love.rm. Fortinet warned this is deceiving users into unknowingly installing the malicious software onto their phones.
Unlike Microsoft Windows, SymbianOS types files based on their contents and not their extensions, so it is worth noting that recipients of infected MMS would still be presented with an installation dialogue upon "clicking" on the attachment. "Therefore, users could easily be deceived by the extension and unknowingly install the malicious piece of software," warned Fortinet.
After installation, the worm harvests all the phone numbers located in the phone's contact lists and targets them with a viral MMS carrying a SIS-packed (Symbian Installation Source) version of the worm. In addition to harvesting these numbers, the malware also sends itself to generated numbers as well.
Interestingly, all these numbers are located in China so far and belong to the same mobile phone operator. Some of these numbers have been verified to belong to actual customers, rather than being premium service numbers.
Guillaume Lovet, manager of Fortinet's Threat Response Team, EMEA, and the man who conducted the research and discovered this malicious activity, told Techworld that this is not just another 'theoretical' mobile worm that nobody will ever encounter.
"It is actual spreading in the wild," said Lovet, "although numbers are still pretty low." He confirmed that the worm only affects Symbian S60 enabled devices.
Lovet says Fortinet first became aware of the worm after one of his customers (a "large, large mobile operator") provided them with a sample. He says the worm seems to be spreading in the EMEA (Europe, Middle East, and Africa) region, and Fortinet is investigating the Chinese angle, and is in touch with law enforcement officials.
"We really want to know why this worm is doing that (contacting Chinese mobile numbers)," said Lovet. "Perhaps it wants to seed itself pretty aggressively," he speculated.
"When you want to seed or inject worm in the wild, then you may want to seed in high populated areas," he continued. "The Chinese mobile operator concerned is the largest in the world with 300 million users, so maybe the virus writers thought it would be a good idea to go for mobiles in highly populated areas."
The advice from Lovet is simple. "Symbian users must not to say yes to any .jpg, .mp3, or .rm files trying to install themselves on your phone."
Of course, Fortinet says that its FortiClient Mobile automatically detects and removes the Beselo worm.
Fortunately, mobile malware is still pretty rare, but it has made the occasional appearance in the past, despite suspicions that these warnings were simply a way to promote a vendor's products.
A worm that could move from a Symbian phone to a PC was previously reported by security experts F-Secure in September 2006. Then in June last year, a 28-year-old man was arrested in Spain on charges that he created variants of the CommWarrior and Cabir mobile phone viruses.