Aggressive mobile worm uses alarming new tricks

Mobile phone malware writers are up to no good again. A security vendor has detected a new variant of an aggressive Russian mobile worm that uses some alarming new tricks.

Like its earlier relatives, Commwarrior.Q will jump onto another phone using a short-range Bluetooth wireless connection, said F-Secure Corp., an antivirus company based in Helsinki. It also spreads via MMS (multimedia messaging service) or by an infected memory card inserted into a device.

Commwarrior.Q is not spreading widely. But the worm has new traits that make it particularly aggressive and it appears to be one of the most complex pieces of mobile malware created to date, said Antti Vihavainen, vice president of mobile security for F-Secure.

Commwarrior.Q will continuously send MMS messages from midnight to 7 a.m. to people in an infected phone’s address book. It cleverly assembles a text message from the phone’s “sent” file, making it appear legitimate, Vihavainen said.

After 7 a.m., however, Commwarrior.Q stops that action, as it would be noticeable to the user. It then starts scanning other phones to infect via Bluetooth.

Commwarrior.Q will infect any Symbian OS application installation files, called SIS files. Unlike its predecessors, the SIS files that Commwarrior.Q infects take on random names, making them harder to identify. Previous versions of Commwarrior used the same file name, F-Secure said.

The SIS files also range in size from 32,100 to 32,200 bytes, making them hard to distinguish from MMS messages if mobile operators wanted to filter them out of their networks, Vihavainen said.

Commwarrior.Q can’t automatically infect a phone, however, Vihavainen said. A user will be prompted if they receive an infected SIS file, and they have to accept the file. Users also get another security prompt. After that, however, Commwarrior.Q will start running.

F-Secure has notified mobile operators of the worm, Vihavainen said. Operators could potentially filter out all transfers of SIS files between phones, but that would reduce functionality, he said.

Commwarrior.Q affects Symbian Series 60 phones that use Symbian OS version 8.1 or older, F-Secure said.

Users may eventually know if they are infected, as Commwarrior.Q intermittently displays an HTML (Hypertext Markup Language) page with text that says, in part, “No panic please, is it very interesting to have mobile virus at own phone.”

Commwarrior was first seen in 2005, and several variants have been detected. One version, Commwarrior.B, send continuous MMSes, draining the phone battery unbeknownst to users. When charged, the phone won’t reboot.

Commwarrior.Q does not damage data on a phone, Vihavainen said. But a user could incur high phone charges caused by the worm sending messages during the night, he said.

F-Secure advisory is at this Web site.

Mobile malware is not widespread but researchers say it could become more prevalent as people use more complex mobile devices.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now