Cabir The World's First Mobile Worm Turns 10

Fortinet’s FortiGuard Labs has experience with more than 1,300 new malicious applications per day and also currently tracks over 300 Android malware families and over 400,000 malicious Android applications. The company recently wrote an in depth article highlighting the most significant mobile malware over the last 10 years.

Google / Mobile Tricks and Hacks

2004: The First Attempt!

Cabir was the world’s first mobile worm. Designed to infect the Nokia Series 60, its attack resulted in the word “Caribe” appearing on the screen of infected phones. The worm then spread itself by seeking other devices (phones, printers, game consoles…) within close proximity by using the phone’s Bluetooth capability.

2005: Adding MMS To the Mix

CommWarrior, discovered in 2005, picked up where Cabir left off by adding the ability to propagate itself using both Bluetooth and MMS. Once installed on the device, CommWarrior would access the infected phone’s contact file and send itself via the carrier’s MMS service to each contact.  The use of MMS as a propagation method introduced an economic aspect; for each MMS message sent, phone owners would incur a charge from their carrier.  In fact, some operators have stated that up to 3.5 percent of their traffic was sourced to CommWarrior, and eventually agreed to reimburse the victims.

2006: Following the Money

After the demonstrated successes of Cabir and CommWarrior, the security community detected a Trojan called RedBrowser touting several key differences from its predecessors.  The first was that it was designed to infect a phone via the Java 2 Micro Edition (J2ME) platform.  The Trojan would present itself as an application to make browsing Wireless Application Protocol (WAP) websites easier.  By targeting the universally supported Java platform rather than the device’s operating system, the Trojan’s developers were able to target a much larger audience, regardless of the phone’s manufacturer or operating system.  

2007-2008:  A Period of Transition

Despite stagnation in the evolution of mobile threats during this two-year period, there was an increase in the number of malware that accessed premium rate services without the device owner’s knowledge.

2009: The Introduction of the Mobile Botnet

In early 2009, Fortinet discovered Yxes (anagram of ”Sexy”), a piece of malware behind the seemingly legitimate ”Sexy View” application.  Yxes also had the distinction of being a Symbian certified application, which took advantage of a quirk within the Symbian ecosystem that allowed developers to “sign off” applications themselves.

2010: The Industrial Age Of Mobile Malware

2010 marked a major milestone in the history of mobile malware: the transition from geographically localized individuals or small groups to large-scale, organized cybercriminals operating on a worldwide basis.  This is the beginning of the ”industrialization of mobile malware” in which  attackers realized that mobile malware could easily bring them a lot of money, eliciting a decision to exploit the threats  more intensely.

2011: Android, Android and Even More Android!

With attacks on Android platforms intensifying, more powerful malware began to emerge in 2011. DroidKungFu, for example, emerged with several unique characteristics, and even today is considered one of the most technologically advanced viruses in existence. The malware included a well-known exploit to “root” or become an administrator of the phone – uDev or Rage Against The Cage – giving it total control of the device and the ability to contact a command server.  It was also able to evade detection by anti-virus software, the first battle in the ongoing war between the cybercriminals and the anti-virus development community. Like of most the viruses before it, DroidKungFu was generally available from unofficial third party app stores and forums in China.   

2013: Game On – New Modes of Attack

2013 marked the arrival of FakeDefend, the first ransomware for Android mobile phones. Disguised as an antivirus, this malware works in a similar way to the fake antivirus on PCs. It locks the phone and requires the victim to pay a ransom (in the form of an exorbitantly high antivirus subscription fee, in this case) in order to retrieve the contents of the device.  However, paying the ransom does nothing to repair the phone, which must be reset to factory settings in order to restore functionality.

*Fortinet’s FortiGuard Labs