Yesterday, we blogged about a new piece of Symbian malware, which we detected as SYMBOS_FLOCK.I. This malware targets users of older Series 60 devices.
Overall, the malware itself is very simple in terms of operation. It first prompts the user to install an application called ZvirOK 5.2! whose name suggests that there have been previous versions of the malware in existence (or it took the malware writer at least five attempts to get it right). Alternatively, the malware author wanted us to think that this is a legitimate application and so added the version number to make it appear so.
Another interesting fact here is that the word Zvirok (Зверёк), which roughly translates from Russian as “small animal,” sometimes also used as a nickname, indicating that this malware is of Russian origin. However, the Symbian installer package (the .SIS file) specified the language of the application as PRC Chinese, which leads to confusion from where this malware really came from.
After installation, the malware executes a very simple Python script that uses some Nokia Python libraries to send an SMS containing the text mumym xxx joker90 to the number 7205. The number 7205 is known as an SMS short code, a special shortened phone number for short or multimedia messages that is normally used for competitions and marketing and can often be quite expensive to use. The malware does not spread itself in any way.
The number of digits in SMS short codes varies from country to country. For example in the United States, it is normally 5–6 digits whereas in the United Kingdom, it is fixed at five digits and begins with either a 6 or an 8. Unfortunately, both China and Russia use four-digit SMS short codes so there is no further hint here on the origin of this Symbian malware.
The last clue perhaps is in the SMS content itself. It is highly likely that the phrase Joker90 refers to a particular model of scooter from Honda. Perhaps this SMS short code is used to enter a competition to win one of these scooters. If that is the case, I’m leaning toward China as the malware source, as scooters are more popular in China than in Russia, generally speaking.
Regardless of the source, however, this will not be the last Symbian malware that we will see in the future. Creating these malware is fairly trivial, after all, and there is also a modest amount of money to be made. It is doubtful that any major cybercriminal group will be packing up its botnets and moving to mobile malware anytime soon but these will continue to be used as an introduction to crime for attackers on the first steps of the cybercrime ladder.