‘Sexy view’ worm takes first step towards mobile botnets

A new short messaging service (SMS) worm has been detected in the wild, with the potential to change the rules of the game when it comes to mobile cybercrime.

Security vendor Fortinet's FortiGuard Global Security Research Team has revealed details of a new worm it has detected, which targets handsets running a version of the Nokia-owned Symbian operating system (OS).

The SymbOS/Yxes.A!worm worm propagates itself by gathering phone numbers from the infected device's file system. It then repeatedly attempts to send SMS messages to those phone numbers inviting recipients to "click here to see sexy girls". Because of this, it's been termed "Sexy View".

The SMS features a malicious web address that, once visited, downloads a copy of the worm.

The worm bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running the third edition of Symbian OS S60.

Guillaume Lovet, head of the threat research team at Fortinet, told IT PRO that handset owners are unlikely to be aware their data has been compromised, as the message propagating it will originate from a known contact.

"It's worse than Facebook say, because you tend to have more trust in people whose numbers you have in your phone," he said. "And it's meant to be stealthware, as there's no sign, like new icons, that it's been downloaded. The only thing you will see is your SMS bill grow."

The Sexy View worm could potentially infect any phone running the vulnerable Symbian OS version, including a wide range of Nokia models. But it may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1, like the Nokia N73.

Lovet added: "We could not get it [the worm] to do anything on the N90, which is the most popular device running this OS. But that could be because the handset we tested did not have the configuration the worm was expecting."

The worm's aim is to gather personal intelligence on the infected victim - such as the serial number of the phone, subscription number - and post it to a remote server, likely controlled by cyber criminals.

"This is a step towards the first mobile botnet," observed Lovet. "Smartphones are basically more like PCs nowadays, but they have a billing system."

Although the purpose of worm's gathering of such data was not clear, he said it could be used to initiate mass downloads of paid-for ringtones and games netting potentially large sums for criminals or even to spread new viruses.

Nokia's press office said in a statement: "We have received a note from Nokia Beijing concerning S60 3rd Edition malware spreading in China. To our knowledge, this malware has not been identified elsewhere.

"Nokia takes security seriously in all phases of the mobile communication systems development process, and will continue to investigate and analyse this malware using our normal processes and comprehensive testing."

The mobile firm also reminded users about the importance of their own awareness. "Users can help to protect their mobile device against harmful applications by their own actions, for example exercising caution when opening unknown web links they have received in their devices, accepting applications sent via Bluetooth or opening MMS attachments, as they may include software harmful to their devices," it added.