Cell Phone Virus - Yenra

Cabir variants of phone malware based on original source code block Bluetooth connectivity and drain the battery

Mobile

The security challenges in the mobile environment are similar to problems in the PC world. Open platforms are becoming popular in smartphones; for instance, the Symbian operating system is used in more than twenty million mobile phones.

F-Secure has found two new Cabir variants (Cabir.H and Cabir.I, respectively). They have found several examples of phone malware over the last weeks, especially Cabir and Skulls variants, affecting Symbian Series 60 phones.

However, this time there are two important differences.

First of all, these new variants seem to be recompiled versions based on original Cabir source code. Which means that the Cabir source code is floating around in the underground -- bad news.

Second important difference is that these new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed. Cabir originally would only spread to one new phone per reboot. Which explains why it so far has only managed to spread to eight countries, despite being in the wild for months already.

Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot. As soon as a suitable target phone is seen, the worm sends itself there as a Bluetooth file transmission and keeps sending itself to that phone while it is still in range. Once the target phone leaves the area, Cabir.H will find a new target and continue spreading. This means that in conditions where people move around and new phones come in conctact with each other, the Cabir.H and Cabir.I can spread quite rapidly.

In addition of spreading, these new Cabirs don't do anything directly destructive or malicious. However, they do block all normal Bluetooth connectivity and they also drain the infected phones battery very fast.

F-Secure has no reports of Cabir.H and Cabir.I in the wild yet. However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his web page.

Both new Cabir variants are detected by F-Secure Mobile Anti-Virus.

Symbian Series 60 worm/trojan history so far in 2004:

June 15th: Cabir.A is found
June 16th: Cabir.B is found
November 19th: Skulls.A trojan is found
November 29th: Skulls.B is found
December 9th: Cabir.C is found
December 9th: Cabir.D is found
December 9th: Cabir.E is found
December 21st: Skulls.C is found
December 21st: Cabir.F is found
December 21st: Cabir.G is found
December 26th: Cabir.H is found
December 26th: Cabir.I is found

In the future, it is likely that new kinds of attacks will be seen: trojan horses in games, screensavers and other applications - resulting in false billing, unwanted disclosure of stored information, and deleted or taken user data. The best way to protect a smartphone against harmful content is to install automated antivirus software to the phone. This is also the only way to get full protection against viruses that try to enter the phone for example over Bluetooth or Internet connections.

F-Secure Mobile Anti-Virus is a comprehensive solution for protecting smartphones against harmful content, from undesired messages to malfunctioning applications. It provides real-time, on-device protection and automatic over-the-air antivirus updates through a patented SMS update mechanism and HTTPS connections.