Autumn 2004 was when mobile malware started to evolve in three main
areas. One was Trojan programs which are designed for financial gain.
The first mobile Trojan was Mosquit.a. In theory, it’s a harmless
mobile phone game; however, at some point it starts to send numerous SMS
messages to telephone numbers in the address book, meaning that the
user’s phone bill will increase. In fact, Mosquit.a wasn’t only the
first Trojan for smartphones, but also the first piece of adware for
mobiles.
Skuller.a, a Trojan which appeared in November 2004, was the first of
what is now the largest family of mobile Trojans. This was the first
malicious program to take advantage of the design faults of Symbian,
which make it possible for any application to overwrite system files
with their own files without prompting the user. Skuller replaced
application icons with skull and crossbones, and also deleted
application files. As a result, the handset would stop working once it
had been switched off and switched on again. This type of “vandal
Trojan” became one of the most popular among virus writers.
Skuller.a
Three new variants of Cabir appeared practically at the same time as
Skuller.a. These new variants were not based on the source code of the
original worm. By this time virus writers had got their hands on Cabir,
and some of them did what script kiddies do: they renamed the worm
files and replaced some of the text in the files with their own. One
variant added Skuller to the original archive. The resulting hybrid
didn’t function as intended: the worm was unable to replicate because
the Trojan crashed the phone. However, this was the first time that
Cabir was used as a carrier for other malicious programs.
By the beginning of 2005, the main types of mobile malware had
evolved, and were used by virus writers over the next eighteen months:
- worms that spread via smartphone protocols and services
- vandal Trojans that install themselves to the system by exploiting Symbian design faults
- Trojans designed for financial gain
However, although there are only a few main types of behavior, in
practice mobile malware comes in a variety of forms. Kaspersky Lab is
currently tracking 31 distinct mobile malware families. The table below
shows the main characteristics for each family.
| Name | Date | OS | Functionality | Technology used | Number of variants |
| Worm.SymbOS.Cabir | June 2004 | Symbian | Spreads via Bluetooth | Bluetooth | 15 |
| Virus.WinCE.Duts | July 2004 | Windows CE | Infects files | (File API) | 1 |
| Backdoor.WinCE.Brador | August 2004 | Windows CE | Provides remote network access | (Network API) | 2 |
| Trojan.SymbOS.Mosquit | August 2004 | Symbian | Sends SMS messages | SMS | 1 |
| Trojan.SymbOS.Skuller | November 2004 | Symbian | Replaces files, icons, system applications | OS vulnerability | 31 |
| Worm.SymbOS.Lasco | January 2005 | Symbian | Spreads via Bluetooth, infects files | Bluetooth, File API | 1 |
| Trojan.SymbOS.Locknut | February 2005 | Symbian | Installs corrupted applications | OS vulnerability | 2 |
| Trojan.SymbOS.Dampig | March 2005 | Symbian | Replaces system applications | OS vulnerability | 1 |
| Worm.SymbOS.ComWar | March 2005 | Symbian | Spreads via Bluetooth and MMS, infects files | Bluetooth, MMS, File API | 7 |
| Trojan.SymbOS.Drever | March 2005 | Symbian | Replaces antivirus application loaders | OS vulnerability | 4 |
| Trojan.SymbOS.Fontal | April 2005 | Symbian | Replaces font files | OS vulnerability | 8 |
| Trojan.SymbOS.Hobble | April 2005 | Symbian | Replaces system applications | OS vulnerability | 1 |
| Trojan.SymbOS.Appdisabler | Ìàé 2005 | Symbian | Replaces system applications | OS vulnerability | 6 |
| Trojan.SymbOS.Doombot | May 2005 | Symbian | Replaces system applications, èíñòàëëÿöèÿ Comwar | OS vulnerability | 17 |
| Trojan.SymbOS.Blankfont | July 2005 | Symbian | Replaces font files | OS vulnerability | 1 |
| Trojan.SymbOS.Skudoo | August 2005 | Symbian | Installs damaged applications, installs Cabir, Skuller, Doombor | OS vulnerability | 3 |
| Trojan.SymbOS.Singlejump | August 2005 | Symbian | Disables system functions, replaces icons | OS vulnerability | 5 |
| Trojan.SymbOS.Bootton | August 2005 | Symbian | Installs damaged applications, installs Cabir | OS vulnerability | 2 |
| Trojan.SymbOS.Cardtrap | September 2005 | Symbian | Deletes antivirus files, replaces system applications, installs Win32 malware on memory cards | OS vulnerability | 26 |
| Trojan.SymbOS.Cardblock | October 2005 | Symbian | Blocks memory cards, deletes folders | OS vulnerability, File API | 1 |
| Trojan.SymbOS.Pbstealer | November 2005 | Symbian | Steals data | Bluetooth, File API | 5 |
| Trojan-Dropper.SymbOS.Agent | December 2005 | Symbian | Installs other malicious programs | OS vulnerability | 3 |
| Trojan-SMS.J2ME.RedBrowser | February 2006 | J2ME | Sends SMS | Java, SMS | 2 |
| Worm.MSIL.Cxover | March 2006 | Windows Mobile/ .NET | Deletes files, copies its body to other devices | File (API), NetWork (API) | 1 |
| Worm.SymbOS.StealWar | March 2006 | Symbian | Steals data, spreads via Bluetooth and MMS | Bluetooth, MMS, File (API) | 5 |
| Email-Worm.MSIL.Letum | March 2006 | Windows Mobile/ .NET | Spreads via email | Email, File (API) | 3 |
| Trojan-Spy.SymbOS.Flexispy | April 2006 | Symbian | Steals data | — | 2 |
| Trojan.SymbOS.Rommwar | April 2006 | Symbian | Replaces system applications | OS vulnerability | 4 |
| Trojan.SymbOS.Arifat | April 2006 | Symbian | — | — | 1 |
| Trojan.SymbOS.Romride | June 2006 | Symbian | Replaces system applications | OS vulnerability | 8 |
| Worm.SymbOS.Mobler.a | August 2006 | Symbian | Deletes antivirus files, replaces system applications, spreads via memory card | OS vulnerability | 1 |
| 31 families, 170 variants | |||||
Complete (as of 30th August 2006) list of mobile virus families according to Kaspersky Lab classification | |||||
- Spread via Bluetooth, MMS
- Send SMS messages
- Infect files
- Enable remote control of the smartphone
- Modify or replace icons or system applications
- Install “false” or non-operational fonts and applications
- Combat antivirus programs
- Install other malicious programs
- Block memory cards
- Steal data
We have to acknowledge that today’s mobile viruses are very similar
to computer viruses in terms of their payload. However, it took computer
viruses over twenty years to evolve, and mobile viruses have covered
the same ground in a mere two years. Without doubt, mobile malware is
the most quickly evolving type of malicious code, and clearly still has
great potential for further evolution.
0 comments:
Post a Comment