It affected Nokia devices, was considered a breakthrough in virus writing

Jun 16, 2014 10:34 GMT  ·  By

The numbers regarding mobile malware evolution for 2013 are quite alarming if you consider that, at the beginning of the year, the number of installation packages detected was 6 million and in December the figure grew to almost 10 million.

The information was provided by Kaspersky some time ago and showed that Android was the preferred target, 98.05% of the attacks being devised for this platform.

Kaspersky also happens to be the security company that performed an analysis of the first smartphone malware ten years ago, back in 2004.

As smartphones were relatively new at that moment, the capabilities of the threat were not fully developed, and at the beginning, the malicious file’s damage consisted in discharging the battery of the mobile device in about a couple of hours.

Eugene Kaspersky described in a blog post the entire process of deciphering the malware, from security researchers getting their hands on the sample to creating a special environment for testing it.

The sample, designed for Nokia smartphones (running Symbian), would disseminate through an insecure Bluetooth connection to other devices and would keep looking for new targets to infect. Constant searching for fresh targets would lead to draining the battery of the host “in just two to three hours.”

The worm, named Cabir by the research team and Caribe by its author, did not have any other functionality and only later malware developments were equipped with money-making capabilities, such as sending messages to premium-rate numbers owned by the cybercriminals themselves.

As Eugene Kaspersky puts it, Cabir was created by “the most legendary group of virus writers in history,” (29A) and “each creation of 29A was a breakthrough, used afterwards by other virus writers, and then by cybercriminals.”

29A was not a group of cybercriminals but of “virus writers creating malware to test and demonstrate new virus technologies.”

This initial behavior of the malware, which may seem more of a prank to most victims, is equivalent to testing the ability of the threat to spread before it is given functions that deal financial blows to the victim.

Since Cabir spread automatically through an insecure connection, it needed a special environment for testing purposes. As such, Kaspersky built a room with zero mobile coverage and with all communications jammed so that viruses could not spread beyond its walls.

A highly publicized incident about Cabir occurred in 2005 in Finland, home country of Nokia, during a sports competition. The stadium the event took place at was packed with spectators, one of them owning an infected phone.

It so happened that a F-Secure researcher attended the event and got his phone infected. As a result, the security company offered to install a Bluetooth scanner that checked the phones for the Cabir infection.

Although Cabir was nothing but a way to test new virus technologies, it later opened the door for cybercriminal activity. Today, sophisticated malware pieces have begun to target mobile users, the latest detection showing that they gained encryption functions used for ransom demands from the victims.