Android Worm 'Selfmite' Harks Back to '90s Macro Viruses

The "Selfmite" worm infects mobile devices using a technique that is similar to the Melissa virus from 1999 by texting a short message and a link to victims' contacts.

Macro WormB

An Android worm has borrowed the propagation techniques of old macro viruses from the 1990s by sending text messages out to a handful of contacts from each infected phone.

Known as Selfmite, the program spreads by sending texts with malicious links to a victim's contacts. The original program sent messages to the top-20 contacts in a victim's address book.

Security firms have offered differing analyses of the most recent version. A report from antivirus firm Sophos indicates that Selfmite.B has reduced the number of recipients to five, while mobile security firm AdaptiveMobile argued that the worm goes into an infinite loop and keeps sending text messages to every contact.

About 100 phones appear to be infected and sending messages, but they have sent more than 150,000 texts in the past 10 days, according to AdaptiveMobile's analysis.

"This means that potential victims will continue to receive malicious SMS messages from an infected phone until either the operator detects and blocks these messages or an owner of an infected phone removes the malware," AdaptiveMobile stated.

The latest Selfmite worm sends one of two text messages: "Hi buddy, try this, its amazing u know" and "Hey, try it, its very fine" to the first five people in a victim's address book. Such generic messages tend not to spread far, and that seems to be the case for Selfmite, but better crafted ones could fool credulous users, Paul Ducklin, head of technology with Sophos, told eWEEK.

"Like the bad old days of computer viruses, it comes from someone you know," he said. "When you get the message, you will be more likely to check it out."

The propagation routine is reminiscent of macro viruses and other email worms of the late 1990s, perhaps the best known of which is the Melissa macro virus.

In March 1999, the Melissa virus spread through email by sending its host, a Word document, to the top-50 people listed in a victim's address book. The program affected at least 100,000 computers at more than 300 companies, according to estimates at the time.

Recently, Visual Basic for Applications, the language used to code most macro viruses in the late 1990s and early 2000s, has made a resurgence as a way of creating scripts to ease the copying of code from the host document to the compromised system.

Phones infected with the Selfmite worm were typically added to a pay-per-click advertising network and a pay-per-install affiliate program. The latest version, however, takes different actions based on the location of the infected Android phone.

While some malicious applications have snuck into the mobile ecosystem, the users in most danger from these types of malicious programs are in Asia and Eastern Europe, where it is a common practice to download apps from ad-hoc app stores that aren't connected to the Google Play Android app market, which vets applications for malware infections. For most U.S. mobile device owners, using trusted app stores and having a cautious outlook are the best approach.

"The walled, or semi-walled, gardens of the App Store and Google Play help a lot, but a killer app might be enough if everyone wants it—remember Flappy Bird?—and is willing to turn on 'Unknown Sources' in Android in order to join in the fun," Ducklin said. "As always, a little caution goes a long way."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...