Security researchers are warning mobile phone users of a new worm aimed at devices running the Symbian operating system (OS S60 Third Edition).
Antivirus vendor Fortinet said the SymbOS/Yxes.A, or “Sexy View” worm, sends SMS messages containing malicious Web URLs to the victim’s contact list. Clicking on the URL downloads a copy of the worm onto the phones of recipients.
The firm said it’s very likely that the SymbOS/Yxes.A is trying to harvest data about the infected phone, such as its serial and subscription numbers, and then posting that to a remote site Fortinet speculated may be controlled by cyber criminals. As for what the crooks might do with the data, that much isn’t clear.
Although it does not yet get commands from the remote servers it contacts, SymbOS/Yxes.A could later be modified by the cyber criminals, which would make it more difficult to track or protect against and make it more damaging, Fortinet lead threat researcher Derek Manky told InternetNews.com in an e-mail message.
The Symbian operating system is a division of mobile device maker Nokia (NYSE: NOK). There was no mention of SymbOS/Yxes.A on either Nokia’s site or the S60 site.
SymbOS/Yxes.A infects phones running SymbianOS S60 Third Edition by coming with a valid signed certificate from Symbian, according to Fortinet. The S60 Third Edition operating system does not allow users to install applications unless they have such a certificate, from a registered SymbianOS developer.
The Web site of the Symbian Developers Network says signing an application encodes a tamper-proof digital certificate into an application installation file. This certificate grants access to protected application programming interfaces (APIs) that allow sensitive operations such as accessing end users’ private data, potentially create billable events, and accessing the mobile phone network.
At press time, Fortinet was still investigating how the author of SymbOS/Yxes.A managed to get a valid signed certificate from Symbian, Manky said, and was awaiting a response from the Symbian Development Network.
The first of a new breed
SymbOS/Yxes.A is one of a new breed of more sophisticated mobile device worms, Manky said. Malware authors are keeping pace with users, who are moving towardmore sophisticated Internet uses with their mobile devices.
“At first, mobile worms were destructive by nature and used to deface phones or boast, draining batteries and generating high phone bills,” Manky said. “With more platforms coming out and the increased functionality and complexity of mobile devices, more security holes and threat opportunities are arising.”
SymbOS/Yxes.A uses the same mode of attack as the Koobface worm that hit Facebook. Koobface, also discovered by Fortinet, infected users’ PCs, then sent out messages to their Facebook friends that urged them to click on Web pages bearing malicious content.
However, SymbOS/Yxes.A could be even more successful than Koobface in getting recipients of SMS messages to click on infected Web site, Manky said. “Mobile worms spread to contacts who would hold a high level of trust in the sender, since they are voice contacts.”
Few mobile device users employ antivirus or other security software on devices.