Nokia's Symbian OS is under attack from a new worm that is spreading via text messages and Internet access, crippling victims' phones.
To get security news and tips delivered to your inbox, click here to
In an advisory, security vendor Fortinet Inc. warned Nokia phone users to be aware of the threat. The Yxes.A!worm attacks phones running SymbianOS S60 3rd Edition used by Nokia 3250 and N73 phones and may be able to run on other devices, said Derek Manky, a cybersecurity and threat researcher with Fortinet's FortiGuard Global Security Research team.
Fortinet is not releasing any information on the size of the attack. Details of infections first surfaced on Web forums in Asia.
The attack is only successful if Yxes tricks a person into clicking a malicious link sent in a text message. Once infected, the worm attempts to send SMS messages to other people in the victim's phone log. Users must have Internet browsing enabled for the attack to work, Manky said.
The worm is also destructive, crippling a victim's phone by killing certain processes such as the task or application manager, Manky said.
"By killing processes and disabling them it is damaging to them and a form of denial-of-service," he said.
Security researchers have taken an increased interest in Yxes since it appears to be much more sophisticated than previous worms. The 2004 Cabir worm attacked Symbian phones by spreading through file attachments shared via Bluetooth and memory cards. The 2005 Commwarrior worm was the first to spread via MMS messages, but still spread via file attachments. Yxes spreads much faster through SMS text messages. It also can be mutated since it spreads by downloading a new copy of itself from a malicious Web server. Cybercriminals can add or remove functionality, tweaking it to target a specific area or commanding it to gather more data.
"Mobile worms have been pretty primitive because they're spreading attachments of itself," Manky said. "Yxes can spread more efficiently and its copies are hosted on malicious servers giving the cybercriminals more control."
Yxes gathers information about the victim's device and posts it to a remote server where cybercriminals can view the data. Yxes is attempting to contact domains registered in China. The IP is in Atlanta, Manky said. Cybercriminals typically use harvested data to determine how well the worm is spreading and where it is spreading.
"We're getting to the point where we've got a very wide user base and they're becoming increasingly complex and more integrated with other infrastructure and that whole area is already very active in terms of cybercriminal activity," Manky said. "Now there's this bridge being created between existing infrastructure, seeded with threats and the telecom industry with devices."