Maliciously Mobile: A Brief History of Mobile Malware
Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cyber security.
It’s difficult to remember a time when you could sit in a café where people were having real-life conversations with other people sitting in the same café. These days, most coffee drinkers are too busy staring down at the tiny computer held in their hands. The ubiquitous smartphone, love it or hate it, is here to stay.
These devices, however, bring with them a risk of attack from malware that continues to increase each year. Research by Symantec shows that, in 2017, new mobile malware variants increased by 54 percent and an average of 24,000 malicious mobile applications were blocked every single day. But it wasn’t always like this. Mobile malware had to begin somewhere, so let’s take a look at where it all began.
Cabir, released in 2004, is considered the first real mobile malware. The worm spread via Bluetooth and targeted the Symbian operating system, which was the primary OS used on smartphones of the time. The malware was thought to be a proof of concept from a group of hackers known as 29A. The group sent Cabir to antivirus firms, likely in an effort to gain attention and prove that phones were not immune to malware.
Cabir’s main goal was to spread to other Bluetooth enabled devices. Once the malware had made it onto a device, it would display the word “Caribe” on the phone’s screen every time the device was turned on.
While Cabir was relatively harmless compared to mobile malware today, it did drain device battery power as it constantly scanned for nearby Bluetooth devices to spread to. Also, potential victims had to accept the Bluetooth file transfer request in order to become infected.
Although the first version of Cabir wasn’t considered much of a threat, later variants had the ability to steal data, such as information from the device’s phonebook.
While Cabir showed the world that mobile malware should be taken seriously, it would be a few years yet before smartphones were smart enough, i.e. were capable of processing and storing more information, for malware authors to see them as a worthwhile target.
Soon after Cabir hit the scene, a Trojanized version of the popular Symbian game Mosquitos appeared. The game worked just like the legitimate version, the only difference was the addition of a malicious program known as Trojan.Mos that would send an SMS message to a premium-rate phone number every time the game was played. Mosquitos\Trojan.Mos made history as the first mobile malware to make money for its developers.
Skuller was a nuisance malware, designed to cause damage and hinder usage of the infected device. The threat was distributed through websites and internet forums disguised as a phone theme. Once it was installed on a device it replaced icons with a skull and crossbones logo. The malware also overwrote application files, making the phone practically unusable. Interestingly, Skuller used code from Cabir to enable it to spread over Bluetooth.
Skuller did what it did purely to create chaos, however, its end goal of making devices unusable would later become a key facet in the world of mobile ransomware.
CommWarrior, emerging just a year after Cabir in 2005, was also a relatively harmless worm for Symbian devices. But while Cabir only had one infection vector, CommWarrior was the first mobile threat to spread via Multimedia Messaging Service (MMS) messages. The malware also attempted to spread using Bluetooth, but it was its ability to use MMS that made it stand out. The worm sent an MMS message to a random contact in the user’s contact list. The message had a copy of the malware attached and was made to look like it was from someone the victim knew. Once the attachment was opened, the cycle would continue.
With the added MMS infection vector, CommWarrior was more successful at spreading than it’s cousin Cabir.
2006 was the year when the first multi-platform mobile malware arrived. RedBrowser could work on phones running the Java 2 Mobile Edition (J2ME) software. At the time, J2ME was running on phones made by Nokia, Motorola, Siemens, Samsung, and many others. The malware pretended to be a Wireless Application Protocol (WAP) browser but instead of browsing the internet it sent out premium-rate SMS messages from victim’s devices. It wasn’t long after RedBrowser that other platforms like Windows Mobile also became a target for mobile malware.
In 2007, the first mobile spyware came along. FlexiSpy was advertised as a tool for people to spy on their partners. The malware could record phone calls and collect SMS messages and send the information to the attacker.
2007 was also when the first iPhone was launched, and with it the first iOS threats, although these would only be a problem for jailbroken devices up until 2015. However, if you were one of the people who decided you wanted Apple’s software restriction removed from your iPhone, then the Ikee malware was the start of your problems. The worm spread between jailbroken iPhones that used the OpenSSH protocol to secure network traffic. The malware took advantage of unchanged default passwords to infect devices and, once it was in, stole the Apple ID and password and changed the phone’s wallpaper to a picture of ’80s singer and meme superstar Rick Astley.
A year later, in 2008, the first Android devices hit stores. It wasn’t long after the appearance of these devices that the Android operating system began attracting the majority of malware authors’ attention. While it took a while, by 2010 Android was firmly in mobile malware’s sights, but more on this later.
Malware follows an evolutionary process, with each new threat learning from or using pieces of the threats that have come before. Mobile malware isn’t any different and, in 2010, a threat came along that had built upon the success of an infamous PC threat. ZitMo, or Zeus-in-the-Mobile, was the little brother of the Zeus banking Trojan. ZitMo stole internet banking transaction authorization numbers and was first spotted targeting Symbian devices but was soon seen on Windows Mobile, Blackberry, and eventually Android.
One of Android’s appealing features is that it is, unlike Apple’s tightly controlled App Store and iOS, an open platform, but this is also one of its problems. Google’s Play Store (previously called Android Market) has, since its earliest days, been plagued with dodgy apps that manage to make their way past security checks. In 2011, an Android threat known as DroidDream, which had been downloaded thousands of times, was discovered packaged inside more than 50 seemingly legitimate applications on Android Market. The malware stole sensitive information from compromised devices and could also install other apps. DroidDream, together with other early Android threats, represented the beginning of a long battle, that continues today, between Google and malware authors trying to get their wares onto the Play Store.
In 2013, FakeDefender, arguably the first mobile ransomware threat, targeted Android devices and displayed fake security alerts in an effort to get the user to buy an app to remove the fake threats. In some cases, the malware prevented users from uninstalling it and from launching other apps. FakeDefender also changed operating system settings and users were unable to carry out a hard reset. While FakeDefender merely locked up aspects of the device’s features while it tried to get the user to pay to get access back, it would be the use of encryption that helped mobile ransomware really take off.
The first mobile ransomware to encrypt files and hold them for ransom was Simplocker. Appearing in 2014, just a year after FakeDefender, the threat would be the first in a long line of similar threats targeting Android. Simplocker initially pretended to be legitimate apps on fake Google Play websites aimed at Russian-speaking users. The malware encrypted document, picture, and video files stored on the device’s SD card. It then displayed a message saying the phone had been locked due to the presence of child pornography and that the only way to unlock the device was by paying a fee. This message appeared every time the user attempted to open an app.
Just in case Apple was feeling left out, in 2015 the first iOS malware for non-jailbroken devices emerged. YiSpecter basically created a backdoor on compromised devices that allowed attackers to install and uninstall apps, download files, and display advertisements, among other things. The threat was mostly targeting devices in China and Taiwan and was spread through third-party app stores, forum posts, social media, and hijacked internet service provider traffic that redirected users to download the malware.
Just like the smartphone, mobile malware is here to stay, and malware authors continue to develop and improve their techniques. From the early threats that made money from premium-rate texts, to the surge in ransomware that followed, and newer money-making methods like cryptocurrency mining, it’s clear that these ubiquitous devices are a valuable target for cyber criminals. Maybe it’s a good thing we can’t keep our eyes off them! Although installing a decent mobile security app is also recommended.
mobile, virus, malware, history