A history of mobile malware from Cabir to SMS Thief

If there is one device that has captured the digital zeitgeist, it’s perhaps the smartphone. It has become such a constant that today, on average, people will check their mobiles 85 times a day.

That seems like quite a high number, but when you consider how practical these devices are – for keeping in touch with friends and family, looking at and sharing photos, managing finances via online banking and updating our activities on social media – it doesn’t seem that excessive.

Regardless, what’s clear is that smartphones contain – and provide access to – swathes of personal and sensitive information, a little fact that has not gone unnoticed by cybercriminals. Needless to say, over the years, they’ve opened up a new front of activity, using malware to extract data and make money.

What is mobile malware and what does it do? 

The first real mobile malware, Cabir, was released in 2004. It targeted the Symbian operating system, used primarily by Nokia, and spread via Bluetooth. The worm was sent out by attackers as a proof of concept and was soon built upon for more malevolent purposes.

In the ensuing 12 years, mobile malware has become widespread, more sophisticated and deployed for all sorts of reasons: spyware gathers information secretly and relays it to a third party; trojans hitch a ride on legitimate programs and then cause trouble; phishing apps are used by fraudsters; and bots covertly lurk in the dark, patiently waiting to strike when users access their online banking accounts.

The first malware data thefts began in 2005. And, as the industry moved on from WAP technology to more complex and ‘smarter smartphones’, the malware capabilities – which up to that point had been largely confined to desktop devices – kept pace.

Sensitive personal information

By 2011 there was an explosion of mobile malware. Suddenly everyone had a smart device and there were nefarious programs being reported to researchers every week. The more apps we downloaded, the more malicious wares got their cyber-tentacles into our phones.

So where does that leave us today? From Apple iOS to Windows and Blackberry, no mobile is immune to malware.

“Recently, mobile malware is a huge problem,” says Lukas Stefanko, malware researcher at ESET. “Users have more personal and sensitive information in their smart devices, including text messages, contacts, photos, emails etc. Plus, they are more vulnerable to social engineering attacks from social networks like Facebook or Twitter.”

Here’s a rundown of some the most notable mobile malware.

2004 – Cabir

In its role as a pioneering piece of mobile malware, Cabir wasn’t all that pernicious. In the first place it was quite difficult for phones to be infected. The worm was sent out via Bluetooth and phone users had to agree to download it. An infected phone would display the message “Caribe” every time it was turned on. It would also search for other phones and, if Bluetooth was on, would push itself onto them, thereby spreading itself. Cabir is believed to have been developed by a group of international attackers calling themselves 29A.

2005 – CommWarrior

When CommWarrior arrived, it extended the propagation vector from just Bluetooth to include sending out infected MMS messages to the phone’s contacts book. Once a message is opened the worm attempts to install itself on the other phone. It was particularly effective because the recipients of the text message thought it was from one of their contacts and so tried to download it. There was also a secondary method of infection: after the MMS had installed it, the infected phone would push the virus out to any nearby Bluetooth-enabled devices.

2006 – RedBroswer

This was the first trojan that could infect multiple mobile phone platforms. It could run on devices supporting Java 2 Micro Edition like Nokia, Siemens or Samsung. It sent messages with actions, such as claiming that it was a Wireless Application Protocol browser, which would allow users to view WAP page contents via free SMS messages. But what it was actually doing was sending SMS messages to premium-rate numbers abroad, resulting in financial loss for the phone user, and a tidy trickle of income for cybercriminals.

2007 – FlexiSpy

FlexiSpy is one of the earliest forms of Spyware. The trojan, hidden from a user’s view, monitors calls and messages. It proved very successful at extracting all of the compromised mobile’s activity: recording voice calls, gathering SMS information, phonebook details and sending them to a remote server. Worse than ordinary malware activity, normally executed upon hapless victims unconnected to the cybercriminal, FlexiSpy continues to be advertised as at solution for people who wanted to spy on their spouses.

2008 – InfoJack

InfoJack was a trojan infecting Windows Mobile, which leaked information from the device to a home server when it connected to the internet. It could also download and install other applications without a user knowing. Sneakily, it was able to change security settings on the device to allow installation of other apps without any security warnings. The malware was also capable of frustrating cleanup efforts by copying itself back onto disk to protect itself from deletion.

2009 – ikee

Sounding like the misspelling of a popular Swedish flat pack furniture brand, ikee was a iOS worm distributed between jailbroken Apple devices that had OpenSSH. Users were vulnerable if they hadn’t bothered to change the default password, which was “alpine”. An infected device had its wallpaper changed either to a photo of the malware author or, hilariously, to “Never Gonna Give You Up” singer Rick Astley.

2010 – Zitmo

This was an example of a dangerous malware moving from a PC environment and into mobile one. Zeus, in its desktop form, was responsible for robbing thousands of online banking customers. A trojan horse, Zitmo, or Zeus-in-the-mobile, targeted internet banking, stealing transaction authorization numbers. It has been detected on multiple platforms, including Android, Blackberry, Windows Mobile and Symbian users. The mobile version is believed to have largely targeted European countries.

2011 – DroidDream

Google Play has been plagued by app problems with malicious functionality included in more than 50 apps on official Play Store with thousands of downloads. The main function of the trojan DroidDream was straightforward: to send sensitive information to remote server and silently install other apps on the infected device. In 2011 Google pulled the 50 apps found to be infected with DroidDream from the Play Store.

2012 – Boxer

This was yet another SMS trojan that found its way into Android. At the time it was reported that it was targeting 63 different countries, reading the MCC (Mobile Country Code) and MNC (Mobile Network Code) codes from the infected device. Boxer was distributed via messages and, once users agreed to download the application, it automatically installed a host of other applications. Then, once it had sent an SMS that propagated itself, it would download a modified application that would send messages to premium numbers.

2013 – FakeDefender

FakeDefender was probably the first example of ransomware (a program that disables until a sum of money is paid) targeting Android. It was also a typical fake antivirus, as it displayed information about bogus security alerts in order to get the mobile user to buy a security app that did not exist and would not work. Once installed it presented the user with a picture of an animal peering out of the letters “OZ”, with a subhead reading “Android Defender”.

2014 – Simplocker

The parallels between malware on mobile and the PC environment can be seen further in Simplocker, which is a piece of Android ransomware which scans the SD card of a device for certain file types and encrypts them. Simplocker is the first malware of the Filecoder family aimed at Google’s operating systems. It corrupts files with common extensions such as .jpeg, .mp4 and .png.

2015 – Gazon

Gazon sends a text message containing a shortened link to itself via text message. Unfortunate recipients will receive a phishing text offering them a $200 Amazon gift card. Once a user downloads and installs the application, it will be re-sent to all the user’s contacts and display unsolicited adverts. It is clever because it includes a series of scam pages and links to other spam. The financial incentive, plus the use of popular shopping brand Amazon, has meant that thousands of users have fallen victim.

2016 – SMS Thief

This application pretty much does what it says on the tin. SMS Thief is a family of malicious apps that steals stored text messages. It is tricky to uninstall and is largely hidden from the user, running in the background as they continue to text and make calls. Meanwhile it quietly intercepts, copies and forwards all messages from the phone. This approach is popular among fraudsters as it puts personal information into the public realm. But it also a double-whammy for victims who will often also find themselves paying huge bills as it sends SMSs to premium rate numbers.

If this feature has piqued your interest, ESET’s solutions engineer Ben Reed and malware researcher Lukáš Štefanko will be delivering a webinar on mobile security threats on November 16th, 2016.