Sexy Space Threat Comes to Mobile Phones
by George Lawton
Security researchers have discovered Sexy Space, the first mobile malware able to send and receive information from a remote server and spread via SMS, the short-message-service standard used worldwide for text messaging. The malware's communications abilities have raised concerns that it could portend the rise of mobile phone botnets.
Sexy Space spreads via SMS by encouraging a recipient to download an application to view sexy women. But when the application runs, nothing appears to happen, said Patrick Runald, chief security advisor at F-Secure. "There are no sexy women or anything else. From a social engineering perspective, it would have been more successful if you had seen sexy women, but that is not the case."
Once the malware has been installed on a new phone, it sends messages to all the contacts in the phone book. Recipients must visit the link and agree to install the application. However, there are no security warnings.
Runald called Sexy Space an SMS worm because it can automatically propagate to other users. However, Craig Heath, Symbian's chief security technologist, argues that Sexy Space is a Trojan horse rather than a worm, because it can't spread without human intervention. It can only transmit a link to a copy of itself, which the end user must then open.
Runald said the majority of mobile malware applications are simple Trojans that cannot be shared between phones. They are generally only spread on top of other applications downloaded via the Internet. Other worms have included Commwarrior which can be transmitted via Bluetooth, and Cabir which could be transmitted via Bluetooth and MMS. But these worms only worked on Symbian S60 Second edition, which was replaced by the S60 Third edition in 2006.
First Signed Malware
Another unique aspect of Sexy Space is that it's signed by Symbian. In the default mode, a Symbian phone will let users run unsigned applications with a security warning. A signed application doesn’t raise any warning messages.
Runald said that he's seen signed spyware applications that must be purchased, but this is the first time a malware creator has gone through the trouble to run an application through the Symbian signing process.
Symbian developers are required to obtain a publisher ID from a reputable certificate authority (CA). Symbian supports both VeriSign and TC Trust Center publisher certificates. The publisher ID provides assurance that developers can be reliably identified if they misuse the signing services. Developers can choose to use Certified Signed or Express Signed certificates. All Certified Signed applications are submitted to an independent, third-party test house for assessment against published test criteria.
Only a proportion of the Express Signed applications are audited by a test house, said Heath. However, developers must declare that they have run the tests themselves and verified that the application passed. If a developer states that an application passes the test criteria, but an audit shows that it doesn't, the developer is blocked from submitting further applications via Express Signed.
Each signed application receives a unique content certificate. Any application that subsequently proves to be damaging or malicious can therefore be individually revoked. When the application is installed on a phone, the phone can check the status of the certificate to see if it's revoked and, if it is, can refrain from installing the application.
Botnet Concerns Overhyped
Sexy Space can download the SMS message template and send the malware to phone numbers listed in the phone's address book. It can also transmit the International Mobile Equipment Identity number, which is a unique identifier for each phone to the server. Runald noted that some people claim these communication capabilities make Sexy Space the first mobile botnet, but he believes a true botnet would require more capabilities.
In its current state, the malware appears to cause no significant harm to the user or the phone. Runald said it might cost some money for sending text messages but doesn’t render the device useless or compromise data. "However, it might be an embarrassment if you are sending malware to friends and colleagues," he noted.
Heath said the application can be removed without any special security software by simply using the normal uninstall procedure built into Symbian. He also pointed out that no variants found so far include other malware or damage the system or the network in any way.
