NEWS FROM THE LAB - Monday, July 20, 2009

Q & A on "Sexy View" SMS worm Posted by Mikko @ 12:58 GMT

There has been lots of media coverage for the Yxe aka Sexy Space aka Sexy View mobile worm. So here's a Q&A to answer some questions on it:

Q: Why is this worm important?
A: It's the first text message worm in history.

Q: I thought text message worms were just urban legends!
A: Definitely not.

Q: How can you attach a worm into a text message?
A: You can't. Instead, the worm puts a web link pointing to the worm's web site into a text message.

Q: A link? Can you click on a link in a text message?
A: Yes. On practically all smartphones. Just like you can click on a link in an e-mail.

Q: Why would I click on such a link?
A: Because the link is in a convincing message.

Q: Convincing how?
A: Convincing as in a text message coming from your best friend with a message like "Check this out!" and a web link.

Q: Would such a message be spoofed or would it really come from my friend's phone?
A: Yxe send its messages to phone numbers found in the phonebook. So if your friend gets infected, you get the message from his phone.

Q: What kind of messages does it send?
A: These vary, as the worm downloads a fresh message template from a website.

Q: Is this a mobile botnet?
A: Not really. The only remote control the worm has is the above update mechanism to change what kind of text messages are being sent. But it's close.

Q: What happens if I follow the link?
A: The link will take you to a website which will automatically push a SIS installation package to your phone. You get one prompt: Install Sexy Space? Yes or No.

Q: No security warnings?
A: No.

Q: But there should be a security warning, unless the SIS package has been signed!
A: It has been signed.

Q: Why did Symbian sign it?
A: We believe the virus writer submitted the malware through the Express Signing procedure, where most applications are not inspected by humans.

Q: Ok, so I click Yes. What happens then?
A: The worm will install itself on your device, and will send a similar text message to all contacts listed in your phonebook. These messages are sent in your name and from your phone.

Q: Who pays for these messages?
A: You do. If you're infected, you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you 500 times 5 cents.

Q: In addition of spreading, what does the worm do?
A: It steals information from the local phone and sends it away, including the IMEI number of the phone.

Q: What's the motive?
A: We don't know.

Q: Where are these YXE worms written?
A: In China.

Q: Which companies submitted these YXE worms for signing?
A: Companies called XiaMen Jinlonghuatian Technology Co. Ltd., ShenZhen ChenGuangWuXian Tech. Co. Ltd. and XinZhongLi TianJin Co. Ltd.

Q: Has Symbian revoked these certificates yet?
A: Yes.

Q: So the problem is over, then?
A: No. The revocation certificates are not immediately distributed to all the hundreds of millions of Symbian smartphones. The default setting in most Symbian phones has to be changed to enable them to receive revocation certificates. To do this, go to Application Manager's Settings and set the Online certificate check to Must be passed.

Here's a picture of what you should do:

Cert check

Q: How widespread is this?
A: Not very. We have very few confirmed reports. Yxe seems to be a problem only in China and Middle East at the moment.

Q: Which phones are affected by this?
A: All Symbian Series 60 3rd Edition phones by Nokia, LG and Samsung. So, for example, best-selling phones like Nokia N95 or Nokia E71.

Q: Who cares. Nobody uses Symbian anyway. iPhone rocks.
A: Symbian has 49% market share of the smartphone market. iPhone has 10%.