Beware of those Sexy Views!

by Pekka on April 24th, 2009 in Security Tips.

The "Sexy View" worm, alias "SymbOS/Yxes.A!worm", represents a new form of threat with a mobile mission, infecting smartphones...

running the 3rd Edition Symbian S60 Operating System. The Symbian OS S60 4th edition was omitted and Nokia went straight to the 5th edition. The S60 6th edition is slated to be released by the Symbian Foundation at the end of April 2009. New mobiles utilizing the S60 6th edition OS are expected in 2010. Malicious worm and malware entities will most certainly adapt to the updates of the mobile platforms exploiting possible security weaknesses. This raises an imminent need of protection.

Here´s a list of some mobile phones running the third edition of S60.

Nokia; 5500, E50, N93, N73, N92, N80, N71, E61, E60, 3250, N91, N71, E70, N75, N80i and Nokia N95.

The worm that propagates in a whole new way is currently mainly active in China. Approximately 73 million, or about 29%, of the Chinese Netizens accessed the Internet using mobile phones during the first half of 2008 (more info regarding the Internet Networking Context of China available in "Enter the Dragon..."). Nothing is however stopping the worm from dissemination to other areas worldwide.

Mobile malware often propagate utilizing Multimedia Messaging Service messaging (MMS), messaging that allows for sending attachments. The "Sexy View" however propagates by utilizing Short Message Service (SMS) text messages. The infectious anatomy of the "Sexy View" encompasses directing users to a web server from where the malicious worm is downloaded.

How is this possible you might wonder?

Malicious SMS messages, containing the URL to the target web server, are repeatedly sent to all contacts in the user´s infected unit. When propagating in this fashion users may think that the "harmless-looking-yet-interesting" messages are originating from an friend making them look safe and reliable. The usage of social engineering techniques are used in order to make the users visit the presented URL and to get them to download the worm! This way of propagation also increases the dissemination possibilities and the "Sexy View" types of worms can, due to the - many times - vast amount of global contacts in users´ contact lists, easily get an unlimited proliferation.

Symptoms of infection

Users may notice that certain applications on their phone are not working normally when the infection has been a fact. The infected mobile-unit may also post information, such as the subscription number and the phone´s serial, to a remote server controlled by an unknown third party.

Therefore

Clicking such URLs leads to an infection so beware of those links no matter how "sexy" the "view" may be!

Also, do not execute attachments that are carried by MMS messages! Such foreign files may carry malicious elements, such as for example keyloggers, compromising the security of the mobile unit and the user privacy.

Using worms in this manner also allows for creating botnets. The future will tell when we get to experience the first mobile-phone botnets with a plethora of infected "voice-recording-capable-zombie-phones" armed with billing power!

It can therefore not be stressed enough that users should be extremely cautious and avoid clicking and visiting URLs, especially when they are urged by others to do so. Also, malicious code could be camouflaged as games or as other types of applications so remember to exercise the greatest caution when planning to install new applications. Commercial spyware applications such as the "FlexiSpy" software can be downloaded directly to a mobile-phone making it possible for an outsider to spy on all forms of conversations. Users should therefore Keep track of their password protected phone at all times and avoid lending it to others who might install spyware on it. Such commercial spyware are available for mobile-phones based on Symbian, BlackBerry and Windows Mobile platforms. Commercial spyware are also available for the Apple iPhone.

The Symbian Foundation states that "By 2010 we expect four billion people to have joined the global mobile conversation. For many of these people, their mobile will be their first Internet experience, not just their first camera, music player or phone."

Let´s hope that the "global mobile conversation" will be a safe one. Be aware and stop the threats at an early stage by acting, not just reacting!   

Pekka Andelin

Lavasoft Malware Labs