Mobile phone malware writers are up to no good again. A security vendor has detected a new variant of an aggressive Russian mobile worm that uses some alarming new tricks.
Like its earlier relatives, Commwarrior.Q will jump onto another phone using a short-range Bluetooth wireless connection, according to Finnish antivirus company, F-Secure. It also spreads via multimedia messaging service (MMS) or by an infected memory card inserted into a device.
Commwarrior.Q is not spreading widely. But the worm has new traits that make it particularly aggressive and it appears to be one of the most complex pieces of mobile malware created to date, vice-president of mobile security for F-Secure, Antti Vihavainen, said
Commwarrior.Q will continuously send MMS messages from midnight to 7 am to people in an infected phone's address book. It cleverly assembles a text message from the phone's sent file, making it appear legitimate, Vihavainen said.
After 7am, however, Commwarrior.Q stops that action, as it would be noticeable to the user. It then starts scanning other phones to infect via Bluetooth. Commwarrior.Q will infect any Symbian OS application installation files, called SIS files. Unlike its predecessors, the SIS files that Commwarrior.Q infects take on random names, making them harder to identify. Previous versions of Commwarrior used the same file name, F-Secure said.
The SIS files also range in size from 32,100 to 32,200 bytes, making them hard to distinguish from MMS messages if mobile operators wanted to filter them out of their networks, Vihavainen said.
Commwarrior.Q couldn't automatically infect a phone, however, Vihavainen said. A user would be prompted if they received an infected SIS file, and they had to accept the file. Users also got another security prompt. After that, however, Commwarrior.Q would start running.
F-Secure had notified mobile operators of the worm, he said. Operators could potentially filter out all transfers of SIS files between phones, but that would reduce functionality.
Commwarrior.Q affects Symbian Series 60 phones that used Symbian OS version 8.1 or older, F-Secure said.
Users may eventually know if they are infected, as Commwarrior.Q intermittently displays an HTML page with text that says, in part, "No panic please, is it very interesting to have mobile virus at own phone."
Commwarrior was first seen in 2005, and several variants have been detected. One version, Commwarrior.B, sends continuous MMSes, draining the phone battery. When charged, the phone won't reboot.
Commwarrior.Q did not damage data on a phone, Vihavainen said. But a user could incur high phone charges caused by the worm sending messages during the night.
Mobile malware is not widespread but researchers say it could become more prevalent as people use more complex mobile devices.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.
Comments
Post new comment