First mobile phone virus detected

16 Jun 2004

Security researchers have discovered what is believed to be the first worm for mobile phones. Known as Cabir, the worm infects phones running the Symbian operating system but it is not thought to be malicious. Users have been told not to panic.

The Symb/Cabir-A worm runs on the Symbian operating system found on many Nokia mobile phones, such as the Series 60. However, security software developer Kaspersky Labs, which detected Cabir, warned that Cabir may also work on handsets made by other manufacturers.

Cabir is sent as a Symbian distribution file but disguises itself as Caribe Security Manager utility, part of the phone’s security software. If the infected file is launched, the telephone display will show a message that reads ‘Caribe’. Only mobiles with Bluetooth short-range networking technology can propagate the worm. Cabir scans for all accessible phones that use Bluetooth and sends a copy of itself to the first one it finds.

According to Kaspersky Labs, the worm was created by a virus writer going under the name of Vallez. This pseudonym is used by 29a, an international group of malware writers that specialises in creating proof-of-concept viruses.

As such, Cabir may have been written merely to show that certain mobile phones could be infected. It does not actually have a malicious payload such as the Sasser worm which caused PCs to shut down repeatedly, for example. Antivirus provider Sophos said that Cabir does not appear to be in the wild and seems unlikely to spread without the recipient being aware of it.

Sophos further advised mobile users not to panic. “The only way this virus looks like it will spread is by antivirus researchers sending it to each other in their high security laboratories,” said Graham Cluley, senior technology consultant for Sophos. He added that the worm must find other Bluetooth-compatible mobile phones in order to spread and that recipients have to confirm they wish to receive the worm before it can infect them. Other devices such as laptops or PDAs which have Bluetooth are not vulnerable to Cabir as they do not use the Symbian operating system.

“Mobile devices (PDAs and phones) have been theoretically vulnerable to viruses and Trojans for some years, but there has been very little malware written,” Cluley added. “The variation in details such as OS version, firmware revision and device characteristics in the mobile arena has resulted in a ‘moving target’ for virus writers. This is one reason why there is not currently a large threat to mobiles from malicious code.”

Users with Bluetooth-enabled phones can prevent viruses or unwanted messages being sent to them by disabling the feature that makes their phones visible to other Bluetooth devices.

By Gordon Smith