Dark Reading

A more sophisticated variant of a wily worm is using a Symbian-certified application to infect its victims via text messages, while also demonstrating botnet-like behavior, prompting some researchers to warn that it's a smartphone botnet in the making.

The so-called Sexy View/Sexy Space malware has researchers split over whether to officially call it a botnet. While Trend Micro says it's indeed a smartphone botnet, F-Secure is less convinced. "It's almost a stretch to call it a botnet, or at least a botnet in the sense that we normally think of them," says Patrik Runald, chief security advisor for F-Secure, which reported the first version of the worm to Symbian in February.

While the worm is able to update the SMS template it uses while spreading, it doesn't have other bot features, he says. "When we think of botnets, we think of a malicious program that calls home for further instructions," such as updating malware, attacking a Website, sending email, or installing an application, he says. "Sexy View does one of those features, which is the ability to update the SMS template it uses when spreading...But Sexy View doesn't have any of the other features we normally take for granted in a bot. So although it can be called a botnet, it's a very simple one with very limited, for now at least, functionality."

Jamz Yaneza, threat research manager for Trend Micro, says Sexy View/Sexy Space was actually a bot in its first iteration in February, but it was unable to successfully spread because its host site was taken down. "This mobile worm starts to steal your information, and it monitors the Websites you go to, and when you connect to the network for an update, it will do something else. That's why it has the makings of a bot," Yaneza says.

Trend Micro is investigating the host it's communicating with, he says, which appears to be out of China. Yaneza says the worm has hit more victims, although Trend Micro has no official numbers.

Botnet or not, the attack sends malware posing as a legitimate Symbian phone app with a Trojan Micro. It steals the victim's subscriber, phone, and network information, and transmits that data to a Website. It also spams SMS messages to contacts on the user's phone to continue its spread, according to Trend Micro.

The worm sends an SMS message with a URL, which, when clicked, prompts the user to install the software -- if you click "yes," then you're infected.

"It's the first malware we've seen for Symbian that is signed. This means that there's less warnings for the user when installing it. They only have to select 'yes' once, and after that, they're infected," F-Secure's Runald says. "Other malware we've seen requires the user to select 'yes' three or four times to be infected."

Runald says F-Secure believes the attackers abused a feature where Symbian allows developers to automatically sign software with specific limitations. "We believe this is how they were able to get it signed," he says.

Experts say users can protect themselves from this attack by not visiting links they receive in SMS messages, and by installing antivirus software on their smartphones.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.