The latest sign that malware writers are refining attacks on mobile devices comes from Mabir-A, a new worm capable of infecting specific devices through clever social engineering and the use of both Bluetooth technology and multimedia (MMS)
Finland-based AV vendor F-Secure this week began warning that the proof-of-concept Mabir-A worm spreads on Symbian Series 60 devices by pretending to be a returned message from a friend or colleague.
In addition, rather than just rifling through an address book for phone numbers of potential victims, Mabir-A listens for MMS or SMS messages coming into the infected phone and responds to those messages with one of its own. This, of course, increases the likelihood someone will open an attachment. A hint the worm-laden message is bogus: there's no text, just a file with a .sis extension.
There's also an interesting glitch in the code. If the worm finds a phone that goes out of range or rejects file transfer, Mabir will continue trying to send the message to the same phone rather than look for other devices, F-Secure said. That may help mitigate Mabir's propagation potential.
Because of similarities in source code, F-Secure experts believe the author of Cabir is behind this latest creation. Mabir is the third mobile virus among the 20 discovered thus far that uses MMS messages to spread. Experts expect that trend to continue as more mobile devices include that functionality.
Fontal-A is a Symbian Series 60 Trojan that installs a corrupted file that damages the applications manager, preventing the installation of any new applications. F-Secure said the Trojan then causes the phone to fail to reboot. If the user tries to reboot the infected phone, it will be permanently stuck in reboot and must be disinfected before it can be used. F-Secure said the only known method of repairing the phone is to use the reformat key combination, which causes the phone to lose all data.
Unlike Mabir, Fontal-A does not spread by itself, not over Bluetooth or any other channel. The most common way for the user to get infected is via IRC or P2P fileshare.