10 years since World’s first Mobile Malware

From Cabir to FakeDefend, the last decade has seen the number of mobile malware explode.

In 2013, Fortinet’s FortiGuard Labs say they have seen more than 1,300 new malicious applications per day and is currently tracking over 300 Android malware families and over 400,000 malicious Android applications.

Besides the sheer growth in numbers, another important trend to note is that mobile malware has followed the same evolution as PC malware, but at a much faster pace. The widespread adoption of smartphones and the fact that they can easily access a payment system (premium rate phone numbers) make them easy targets which can quickly generate money once infected. Furthermore, they have capabilities such as geo-location, microphones, embedded GPS and cameras, all of which provide for a particularly intrusive level of spying on their owners. Like PC malware, mobile malware quickly evolved into an effective and efficient way of generating a cash stream, supporting a wide range of business models.

In the following chronology, FortiGuard Labs looks at the most significant mobile malware over the last 10 years and explains their role in the evolution of threats:

2004: The first attempt!

Cabir was the world’s first mobile worm. Designed to infect the Nokia Series 60, its attack resulted in the word « Caribe » appearing on the screen of infected phones. The worm then spread itself by seeking other devices (phones, printers, game consoles…) close to it using the phone’s Bluetooth capability.

Note: Experts believe that the worm was developed by the hacker group called 29A as « proof of concept » due to its relatively inoffensive character.

2005: Adds MMS to the mix

CommWarrior, discovered in 2005, picked up where Cabir left off by adding the ability to propagate itself using both Bluetooth and MMS. Once installed on the device, CommWarrior would access the infected phone’s contact file and send itself via the carrier’s MMS service to each contact.  The use of MMS as a propagation method introduced an economic aspect; for each MMS message sent, the phone’s owner would incur a charge from their carrier.  In fact, some operators have stated that up to 3.5% of their traffic was the result of CommWarrior and eventually agreed to reimburse the victims.

The virus, which also targeted the Symbian 60 platform, has been reported in more than 18 countries across Europe, Asia and North America. 115,000 mobile devices were infected and more than 450,000 MMS were sent without the knowledge of victims, showing for the first time that a mobile worm could propagate as quickly as a PC worm.

Note: At the time, Symbian was the most popular smartphone platform with tens of millions users around the world. However, the objective behind CommWarrior was to propagate itself as widely as possible and not to profit from the charges incurred through the MMS messages.

2006: Following the money

After the demonstrated successes of Cabir and CommWarrior, a Trojan with the name of RedBrowser was detected and had several key differences from its predecessors.  The first was that it was designed to infect a phone via the Java 2 Micro Edition (J2ME) platform.  The Trojan would present itself as an application to make browsing Wireless Application Protocol (WAP) websites easier.  By targeting Java, which was universally supported, rather than the device’s operating system, the Trojan’s developers were able to target a much larger audience, regardless of the phone’s manufacturer or operating system.  The second, and perhaps more important difference, is that the Trojan was specifically designed to leverage premium rate SMS services.  The phone’s owner would typically be charged approximately $5 per SMS, another step towards the use of mobile malware as a means to generate a cash stream.

Note: Until the emergence of RedBrowser, it was thought impossible to have a single piece of malware that could infect a wide range of mobile phones, phones with different operating systems. The use of J2ME as an attack vector was an important milestone during this period, as was the use of SMS as a cash generation mechanism.

2007-2008:  A period of transition:

During this two year period, even though there was stagnation in the evolution of mobile threats there was an increase in the number of malware that accessed premium rate services without the device owner’s knowledge.

2009: The introduction of the Mobile Botnet

In early 2009, Fortinet discovers Yxes (anagram of « Sexy »), a malware which is behind the seemingly legitimate « Sexy View » application.  Yxes also had the distinction of being a Symbian certified application, apparently taking advantage of a quirk within the Symbian ecosystem that allowed developers to “sign off” applications themselves.

Once infected, the victim’s mobile phone forwards its address book to a central server.  The server will then forward a SMS containing a URL to each of the contacts.  By clicking on the link in the message, a copy of the malware is downloaded and installed and the process is repeated over and over again.

The spread of Yxes was largely limited to Asia where it has infected at least 100,000 devices in 2009.

Note: Yxes was another turning point in the evolution of mobile malware for several reasons. First, it is considered as the first malware targeting the Symbian 9 operation system. Secondly, it was the first malware to send an SMS and access the Internet without the mobile user’s knowledge, which was a technological innovation in malware. Finally, and perhaps most importantly, the hybrid model that it used to propagate itself and to communicate with a remote server, made Anti Virus analysts dread the fact that this was perhaps a forewarning for a new kind of virus : botnets on mobile phones.  Future events would later validate that perception.

2010: The industrial age of Mobile Malware

2010 marked a major milestone in the history of mobile malware; the transition from geographically localized individuals or small groups to large scale, organised cybercriminals operating on a worldwide basis.  This is the beginning of the era of « industrialisation of mobile malware » where attackers realized that mobile malware can easily bring them a lot of money and decided to exploit them more intensely.

2010 was also the introduction of the first mobile malware derived from PC malware.  Zitmo, Zeus in the Mobile, was the first known extension of Zeus, a highly virulent banking Trojan developed for the PC world.  Working in conjunction with Zeus, Zitmo is used to bypass the use of SMS messages in online banking transactions, circumventing the security process.

There was other malware in the headlines as well this year, most notably Geinimi.  Geinimi was one of the first malware designed to attack the Android platform and use the infected phone as part of a mobile botnet.  Once installed on the phone, it would communicate with a remote server and respond to such a wide range of commands, such as installing or uninstalling applications, that it could effectively take control of the phone.

Note:  While the introduction of mobile malware for Android and mobile botnets were certainly significant events during 2010, they were out shadowed by the growing presence of organised cybercriminals who began to leverage the economic value of mobile malware.

2011: Android, Android and even more android!

With attacks on Android platforms intensifying, 2011 saw the emergence of even more powerful malware.  DroidKungFu, which even today is still considered one of the most technologically advanced viruses came into existence and had several unique characteristics. The malware included a well known-exploit to “root” or become an administrator of the phone – uDev or Rage Against The Cage – giving it total control over the phone and thereafter contacting a command server.  It was also able to evade detection by anti-virus software, the first battle in the ongoing war between the cybercriminals and the anti-virus development community. Like of most the viruses before it, DroidKungFu was generally available from unofficial third party app stores and forums in China.

Plankton also arrived on the scene in 2011 and is still one of the most widespread Android malware. Even on Google Play, the official Android apps store, Plankton appears in a large number of apps as an aggressive version of adware, downloading unwanted ads to the phone, or changing the homepage of the mobile browser or adding news shortcuts and bookmarks to the mobile phone.

Note: With Plankton, we’re now playing in the big leagues!  Plankton is one of the top 10 most common viruses across all categories putting it in the same category with as the top PC viruses.  The days of the mobile malware lagging behind their PC counterparts are over.  With Plankton alone, there are more than 5 million infected devices.

2013: Game On – New modes of attack

2013 marked the arrival of FakeDefend, the first ransomware for Android mobile phones. Disguised as an anti-virus, this malware works in a similar way to the fake antivirus on PCs. It locks the phone and requires the victim to pay a ransom (in the form of an exorbitantly high Anti-Virus subscription fee, in this case) in order to retrieve the contents of the device.  However, paying the ransom does nothing for the phone which must be reset to factory settings in order to restore functionality.

It was also in 2013 that Chuli appeared, the first targeted attack including an Android malware. The email account of an activist of the World Uyghur Conference, held 11-13 March 2013 in Geneva, was used to target the accounts of other Tibetan Human Rights activists and advocates. The emails sent from the hacked account included Chuli as an attachment.  That malware was designed to collect data such as incoming SMS, contacts of the SIM card and phone, location information, and recorded victim’s phone calls. All this information was then sent to a remote server.

Note: 2013 can be considered as the year of “turning pro” for mobile attacks. More targeted and more sophisticated, malware like FakeDefend or Chuli are examples of attacks that can be compared to those we know of today in the PC world.

Moreover, with an attack like Chuli, it’s perfectly reasonable to ask whether we are entering into an era of mobile cyber-war and the beginning of the potential involvements of governments and others national organisations in the origin of these attacks…

What’s next? In the area of cybercrime, it is always difficult to predict what will happen next year and even more so over the next 10 years. The landscape of mobile threats has changed dramatically over the past decade and the cybercriminal community continues to find new and increasingly ingenious ways of using these attacks for one sole purpose – making money.

However, with the explosion of smartphones and other mobile technologies, a reasonable prediction is the convergence of mobile and PCs malware. All malware will then be “mobile” as everything will become “mobile”.

Beyond mobile devices, the most likely future target for cybercriminals is The Internet of Things (IoT). While extremely difficult to forecast the number of connected objects on the market in the next 5 years, Gartner estimates 30 billion objects will be connected in 2020 whereas IDC estimates that market to be 212 billion. As more and more manufacturers and service providers capitalize on the business opportunity presented by these objects, it’s reasonable to assume that security has not yet been taken into account in the development process of these new products. Will the IoT be “The Next Big Thing” for the cybercriminal?