More Mobile Malware Models Evolving

By Matthew Hines  |  Posted 2008-11-25 Print this article Print

While researchers have long predicted an impending onslaught of malware programs designed to attack mobile devices, examples of such programs observed in the wild have proven rather few and far between.

There have been some notable instances of the attacks, such as with the Cabir Bluetooth-borne worm virus that targets Symbian smartphones, but for the most part there have not been many mobile-specific threats that have had packed a noticeable punch.

However, in a recent blog post offered up by researchers at AV giant Trend Micro, experts have pointed to the potential for some of the relatively low-level threats that have been appearing more recently to boost the potential for wreaking havoc on handhelds.

In particular, the researchers said that attackers are aiming their efforts at mobile users that are accessing the Web with their devices.

"With more users using mobile devices that are Web-enabled, malware authors are also quick to adapt. From spam to ransomware, cyber-criminals are exploiting mobile phone usage as a new avenue for profit," writes Jake Soriano, a communications specialist with Trend's research group. "Interestingly, this malicious software deviates from the usual scheming operations that use Symbian malware to extort money from affected users."

Highlighting the work of colleague Jamz Yaneza, the blog specifically points to the appearance of WINCE_CRYPTIC.A, a malware variant that targets Windows Mobile phones and plays on vulnerabilities in the Microsoft WinCE embedded operating system. Soriano said that the threat was recently found in the wild and works as a "companion virus" as it hides its infection code in an additional file.

"Typical viruses infect files themselves but WINCE_CRYPTIC.A does not. Instead, it creates "companion" files using the same file names as the infected mobile phone's storage card," the expert writes. "These companion files contain the infection code, and when users run the storage card, the malicious files run first."

As a result of its design, WINCE_CRYPTICA does not infect files itself, theoretically making it harder to find, and the changes that its companion file carries out are made from the polymorphic engine of the malware, trend reports. The attack could also be classified as a Trojan, the experts contend, based on its hidden infection capabilities.

"Users are tricked into thinking they are still running a legitimate application when in fact they are already executing the malware," the researchers said.

An additional offspring of being infected with the attack is that affected devices will have their text and background colors altered, essentially blacking out their screens.

According to Trend, the most likely methods for delivery of the threat are infected memory cards and malicious Web sites/downloads. Yaneza contends that document-sharing via infrared or Bluetooth systems could be another potential delivery method.

The big picture message is that even though sizeable waves of mobile attacks have yet to appear as once predicted, the threats out there are slowly being developed into more destructive beasts, the researchers said.

"WinCE malware in the past did not have this routine," writes Soriano. "Our researchers believe that creators of this new WinCE malware are testing the waters for a bigger threat on mobile devices."

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel