Security vendor detects aggressive mobile worm variant

New worm variant uses new tricks but the risk of being infected is minimal, says New Zealand expert

Mobile phone malware writers are up to no good again. A security vendor has detected a new variant of an aggressive Russian mobile worm that uses some alarming new tricks.

Like its earlier relatives, Commwarrior.Q will jump onto another phone using a short-range Bluetooth wireless connection, says F-Secure, an antivirus company based in Helsinki. It also spreads via MMS (multimedia messaging service) or by an infected memory card inserted into a device.

Commwarrior.Q is not spreading widely. But the worm has new traits that make it particularly aggressive and it appears to be one of the most complex pieces of mobile malware created to date, says Antti Vihavainen, vice president of mobile security for F-Secure.

However, it is not yet confirmed that the worm is in the wild, says local mobile phone security expert, Aaron Davidson, CEO of Auckland-based SimWorks. Mobile threats are growing, but the big picture is that among the billions of mobile phones in the world, only a very small number is being infected, he says.

But there are risks, and people generally don't appreciate the seriousness of them, he says.

"People shouldn't engage in silly behaviour like accepting any old thing that is 'bluetoothed' to them, opening up MMSs from people they don't know or downloading cracked copies of software, indeed doing anything that they would hesitate to do on their computer," says Davidson.

"Your average PC can only communicate via one type of channel, a LAN connection, [whereas] a smartphone [for example] has got Bluetooth, GPRS, 3G, has probably got infrared still, and may even have wi-fi.”

“If you compare and contrast these devices, one of them is as open as Swiss cheese, and that's the mobile phone," he says.

Commwarrior.Q will continuously send MMS messages from midnight to 7 am to people in an infected phone's address book. It cleverly assembles a text message from the phone's "sent" file, making it appear legitimate, Vihavainen says.

After 7 am, however, Commwarrior.Q stops that action, as it would be noticeable to the user. It then starts scanning other phones to infect via Bluetooth.

Commwarrior.Q will infect any Symbian OS application installation files, called SIS files. Unlike its predecessors, the SIS files that Commwarrior.Q infects take on random names, making them harder to identify. Previous versions of Commwarrior used the same file name, F-Secure says.

The SIS files also range in size from 32,100 to 32,200 bytes, making them hard to distinguish from MMS messages if mobile operators wanted to filter them out of their networks, Vihavainen says.

Commwarrior.Q can't automatically infect a phone, however, Vihavainen says. A user will be prompted if they receive an infected SIS file, and they have to accept the file. Users also get another security prompt. After that, however, Commwarrior.Q will start running.

F-Secure has notified mobile operators of the worm, Vihavainen says. Operators could potentially filter out all transfers of SIS files between phones, but that would reduce functionality, he says.

Commwarrior.Q affects Symbian Series 60 phones that use Symbian OS version 8.1 or older, says F-Secure.

Users may eventually know if they are infected, as Commwarrior.Q intermittently displays an HTML (Hypertext Markup Language) page with text that says, in part, "No panic please, is it very interesting to have mobile virus at own phone."

Commwarrior was first seen in 2005, and several variants have been detected. One version, Commwarrior.B, send continuous MMSes, draining the phone battery unbeknownst to users. When charged, the phone won't reboot.

Commwarrior.Q does not damage data on a phone, Vihavainen says. But a user could incur high phone charges caused by the worm sending messages during the night, he says.

The F-Secure advisory can be found here.

Mobile malware is not widespread but researchers say it could become more prevalent as people use more complex mobile devices.

Join the newsletter!

Error: Please check your email address.

Tags mobilemalwareworm

More about F-SecureLANSymbian

Show Comments
[]