The first worm that spreads between mobile devices by spamming text messages has developed a new communications capability that one security vendor says signals the arrival of mobile botnets.
Trend Micro has analyzed a piece of mobile malware known as “Sexy Space,” which is a variant of another piece of mobile malware called Sexy View, which targets devices running the Symbian S60 OS.
Sexy View, which was detected by vendors such as F-Secure six months ago, is significant because it is the first known malware sample that spreads by SMS (Short Message Service). It appeared initially in China.
Infected phones would send SMSes to everyone in the phone’s contact list with a link to a Web site. If someone clicked the link, they would then be prompted to install Sexy View, which purports to offer pornography-related content.
In another advancement, those who wrote Sexy View were able to get the application approved and signed by Symbian. The OS manufacturer, now owned by Nokia, vets applications for security using both manual and automated processes, said Mikko Hypponen, chief research officer for F-Secure.
Sexy View’s creators were somehow able to subvert that automated vetting process, allowing the application to access functions such as SMS, Hypponen said. The latest variant, Sexy Space, is also signed by Symbian.
But in the latest alarming development, Trend Micro analysts have found that Sexy Space is capable of downloading new SMS templates from a remote server in order to send out new SMS spam, said Rik Ferguson, senior security advisor for Trend.
No malware for a mobile device has been know to do that before. Analysts at Trend had “heated internal discussions” about whether Sexy Space qualified as botnet code, Ferguson said.
Sexy Space is also capable of stealing subscriber and network information from the device and sending it to a remote server, Ferguson said.
Sexy Space confirms what analysts such as Hypponen and Ferguson have said since late last year: As mobile devices take on greater functionality and operate like minicomputers, it’s likely they will be targeted by malware writers and eventually lassoed into botnets.
Botnets—arguably one of the biggest security threats facing the Internet—are networks of hacked computers that can be used to send spam, conduct denial-of-service attacks on Web sites or steal data.
Hypponen said F-Secure analysts had not confirmed that Sexy Space calls on a remote server, and Trend engineers are still studying where the remote server is located.
It’s not clear now many phones may be infected. But one Beijing mobile security vendor, NetQin Tech, wrote on its blog that infections had been widespread in China and Saudi Arabia.
F-Secure informed Symbian about the malware. It is possible for network operators to revoke the certificate that allows an application to run on a Symbian phone, Hypponen said.
But the revocation mechanisms are not automatic, and depending on the operator’s setup, it may not work for all phones, Hypponen said.
Symbian has taken action to disable the malware. Craig Heath, one of Symbian’s security developers, wrote on the organization’s security blog that it has revoked the content certificate and publisher certificate used to sign the malware.
“That means that the Symbian software installer will not now install the malware, providing that revocation checking is turned on,” Heath wrote. “Unfortunately, revocation checking is often turned off by phone manufacturers, because the data traffic could cause problems for people who do not have a data plan as part of their service or who pay for data by volume.”
F-Secure has a writeup of the malware, also known as “Transmitter.” Trend has also posted an analysis.
Updated at 1:37 p.m. PT to add comments from Symbian.