UPDATE: The malware attack against mobile phones is mounting Helsinki, Finland - December 28, 2004 Evolution in Cabir variants The security challenges in the mobile environment are similar to the problems we have encountered in the PC world. Open platforms are becoming popular in smartphones, for example the Symbian operating system is used in more than 20 million mobile phones at the moment. We've found two new Cabir variants (Cabir.H and Cabir.I, respectively). As mentioned before, we've found several examples of phone malware over the last weeks, especially Cabir and Skulls variants, affecting Symbian Series 60 phones. However, this time there are two important differences. First of all, these new variants seem to be recompiled versions based on original Cabir source code. Which means that the Cabir source code is floating around in the underground. Which is bad news. We didn't know the sources were out there, and we've never seen them. Second important difference is that these new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed. Cabir originally would only spread to one new phone per reboot. Which explains why it so far has only managed to spread to eight countries (as far as we know), despite being in the wild for months already. Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot. As soon as a suitable target phone is seen, the worm sends itself there as a Bluetooth file transmission and keeps sending itself to that phone while it is still in range. Once the target phone leaves the area, Cabir.H will find a new target and continue spreading. This means that in conditions where people move around and new phones come in conctact with each other, the Cabir.H and Cabir.I can spread quite rapidly. In addition of spreading, these new Cabirs don't do anything directly destructive or malicious. However, they do block all normal Bluetooth connectivity and they also drain the infected phones battery very fast. We have no reports of Cabir.H and Cabir.I in the wild yet. However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his web page. Both new Cabir variants are detected by F-Secure Mobile Anti-Virus: http://www.f-secure.com/products/fsmav/ Symbian Series 60 worm/trojan history so far in 2004: June 15th: Cabir.A is found June 16th: Cabir.B is found November 19th: Skulls.A trojan is found November 29th: Skulls.B is found December 9th: Cabir.C is found December 9th: Cabir.D is found December 9th: Cabir.E is found December 21st: Skulls.C is found December 21st: Cabir.F is found December 21st: Cabir.G is found December 26th: Cabir.H is found December 26th: Cabir.I is found In the future, it is likely that we will also see new kinds of attacks: trojan horses in games, screensavers and other applications – resulting in false billing, unwanted disclosure of stored information, and deleted or stolen user data.The best way to protect a smartphone against harmful content is to install automated antivirus software to the phone. This is also the only way to get full protection against viruses that try to enter the phone for example over Bluetooth or internet connections. F-Secure Mobile Anti-Virus is the most comprehensive solution available for protecting smartphones against harmful content, from undesired messages to malfunctioning applications. It provides real-time, on-device protection and automatic over-the-air antivirus updates through a patented SMS update mechanism and HTTPS connections. More information about Mobile offerings from: http://www.f-secure.com/wireless/ About F-Secure F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus and desktop firewall with intrusion prevention. Our key strength is the speed of response to new threats. For businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom, France Telecom and Charter Communications. For more information, please contact: F-Secure Corporation Antti Vihavainen PL 24 FIN-00181 Helsinki Tel +358 9 2520 5357 Fax. +358 9 2520 5001