Symbian malware has been rapidly increasing over the past year. In June 2005 it exceeded the 100 threshold and since then, this figure has risen beyond 160 and shows no signs of stopping.
Symbian malware like any other malware does not appear out of thin air - for new variants to appear someone must create them. In industry parlance we call these people malware authors. These can be divided into two groups; those that create a virus that is at least in part unique and thus gets a new family name, and the copycats who modify existing malware to create new variants.
Typically, malware authors have no wish to reveal their real names and as a result, anti-virus companies have no information who, behind their online identities, they really are. And to make things more difficult, in most malware cases there is no signature left by the malware author in his work through which we could trace the source.
In some cases, however, the malware authors can be tracked either due to an intentional signature left in the malware, or by a mistake in the malware code that reveals the author by default. The most notorious Symbian malware authors are ValleZ the author or Cabir and Mabir, Marcus Velasco the author of Lasco and Eldod0r, author of Commwarrior.
ValleZ, who is a long time member of the virus writing group called 29A, created Cabir.A and Cabir.B, which were the first real cases of Symbian malware. His motivation for creating Cabir was simple: he wanted to be the first one to create malware for Symbian that uses Bluetooth wireless technology. This desire to be first to create a new malware type on a new platform typifies all the members of 29A, who then later release their destructive code to the wider malware community with predictable results.
Complex creations
The infamous Commwarrior virus is the recognized creation of a Russian virus author going by the name Eldod0r. Unlike ValleZ, little is known about Eldod0r but he is not known to have created any other malware than Commwarrior variants under that name. What makes Eldod0r unique among his malware peers is the complexity of his creations. The principle motivation for him, it seems, is to create malware that is as difficult to detect as possible.
Commwarrior.A was the first Symbian malware to use simple stealth techniques trying to hide by renaming its process to be a duplicate of a randomly chosen system process.
Commwarrior.C was also a Symbian malware first with an inbuilt feature designed to prevent its removal by deleting any anti-virus application it detected. Fortunately, this feature that was defeated b F-Secure with its F-Commwarrior removal tool.
Unfortunately for us at F-Secure, for all we know about ValleZ, Eldod0r and other Symbian malware authors, we lack the most important piece of information: their real life identities. Despite varying international criminal legislation for virus writing, our policy at F-Secure is to give any useful information about virus writers to the authorities of that country.
But not all malware authors are shadowy figures hiding behind their Internet handles. Marcos Velasco, author of Lasco.A and several Cabir variants is a Brazilian living in Rio de Janeiro who has even given interviews to the media about the viruses he has created. According to interviews, Velasco was motivated by curiosity and the fame he gained by creating Symbian viruses. These two motivations would be a poor defence in any European or US court but since Brazil has no laws on computer crime, he can continue to create viruses with no danger of being arrested.
Introducing the Symbian trojan authors
In addition to the infamous trio above, there are several authors of Symbian SIS file trojans who we know by their nicknames. These Symbian trojan authors include DJ6230, Helzim, Raghu, Black Symbian, Canisus, Ilaili Radic and many others. These authors communicate with each other on several public forums trading information about creating trojans and samples of trojans. Whenever we detect any of these forums we contact the operators and try to get them shut down.
The SIS file trojan authors work mainly by downloading existing trojan samples, unpacking them and adding new files and functionalities to the packages they create. We have noticed that several authors copy heavily from each other and many trojans also drop Cabir, Commwarrior or other stand-alone malware.
Unlike Commwarrior and its variants, their creations are technically rather simple and easy to detect with generic detection. Currently our F-Secure Mobile Anti-Virus has been able to detect over 80% of the cases before we even get the first sample of the malware. But, since many smartphone users have yet to install Anti-Virus software, even the crudest trojan is able to break the phone and prompt a complete reformat with the usual inconvenience and loss of data.
So far the common theme with all Symbian malware authors is that they create malware either for fame among peers, out of curiosity, or simply to do damage. Interestingly, these were the motivations for PC malware authors before the year 2000. This, however, changed at the end of February when the first mobile malware called Redbrowser, which is a trojan, emerged in Russia created explicitly for making money out of unwary recipients. Redbrowser, which is classified as J2ME malware targets all phones using Java software and through social engineering tricks the user into sending SMS messages at a cost of USD 5 for every message. While as a trojan, Redbrowser is not self replicating, the precedent has now been set for more malware of its type to enter the scene.
In the PC environment, for example, over 95%of new malware is profit motivated and it is only question of time when larger numbers of PC malware authors attracted by greenfield profits target mobile devices or mobile malware authors decide to abandon proof of concept and make money with their creations. Smartphone users beware!
Author: Jarno Niemelä, Senior Antivirus Researcher
Begin | 
Back
