Symbian accidentally certifies worm
The Symbian Foundation has been left with egg on its face after accidentally sanctioning what experts are calling the first text message worm in history.
A worm, known variously as Yxe, Sexy Space, or Sexy View, has been spotted in the wild attacking smartphone users in China.
According to virus experts at Finnish security firm F-Secure, the worm was written in China and managed to sneak through Symbian’s validation procedure, winning protection as a ‘Symbian signed’ app.
This means the worm will be installed without security warnings and offers just one innocuous prompt to the user during installation. Once installed, the worm sends a text message to every contact in the phone’s address book containing a link to a web page that hosts the worm installation file in SIS form. Of course, the user also pays the price of each and every text message the worm sends out from the infected handset.
F-Secure’s head of research, Mikko Hypponen, reckons that the worm author wrote the program with the intention of avoiding F-Secure’s virus scanner as this is the one Symbian uses to check applications before signing them. The worm author also submitted the application via the Express Signing procedure where only spot checks are carried out by humans, F-Secure said, which probably resulted in the app getting signed.
The malware is also known to send information about the infected phone, such as the device’s IMEI number, on to another location.
At present there have only bee reports of the virus in China and the Middle East, although the potential for more widespread infection is significant seeing as the worm affects S60 third generation phones, such as the Nokia N95.
Symbian has since revoked the app’s certificate, but because the platform does not check to see whether a certificate has been revoked every time the worm is activated.
Last week the Symbian Foundation announced an application publishing programme that will see it attempt to bridge the gap between developers and application stores. Dubbed Symbian Horizon, the new initiative was described by Symbian’s Sean Puckrin, who is leading the programme, as equivalent to a record label in the music business.
The aim of Horizon is to offer a range of services to developers to help them get Symbian friendly versions of their applications into various stores.
So, it’s out there and Symbian have no way of stopping it.
Symbian’s sloppiness is bad news for all smart phone users not just Symbian users.
And whilst the human error aspect is forgiveable not having an effective way to revoke approval isn’t.
Symbian’s approach is wrong headed. Their assumption is that applications can be tested sufficiently enough to avoid planned or acidental viruses / malicious code / etc. and then signed.
However (a) as this experience has shown, determined app writers can always get apps signed (b) in any case, users may not care about teh app being signed or who actually signed it.
A better approach would be to make the symbian OS more resilient / customer alerting. For example, like MS windows does, ask teh user “Are you happy with this application reading entries from your address book” and “Confirm you wish this application to send the text message as follows.
Many Nokia phones actually come with an application called “download” which covertly sends text messages that cost money, or sign you up to subscription services. I suspect many users are unaware of what is happening. Make them more aware and more alert.
Users will click through any notifications on a cell phone just like they do in Windows.