The very first mobile malware – Cabir
Ten years in to the past, Kaspersky Lab had informed regarding the discovery of Cabir – which happens to be the first ever worm designed to attack mobile phones. Nothing like most modern malware samples, Cabir wasn’t equipped with a wide array of malicious functions.
As an alternative; it made history by way of showing that it holds the potential to be able to infect mobile phones.
Kaspersky Lab experts first faced Cabir at the beginning of June 2004. It so happened that one of the company’s virus analysts was just winding-up his shift and handing over the same to a colleague, when he took note of an email with no text; but then again with an attachment.
The attachment was distrustful: it was a file, but a quick analysis couldn’t define the software platform it was written for. It certainly wasn’t designed for Windows or for that matter Linux, the platforms that Kaspersky Lab analysts usually functioned with.
“Roman Kuzmenko was working the night shift that night,” Alexander Gostev, Chief Security Expert at Kaspersky Lab goes on to recall. Adding that – “He stood out among other analysts who worked at Kaspersky Lab at that time because of his ability to analyze complicated threats fast and accurately. Pretty soon after he started looking at that suspicious file, Roman discovered that it was written to execute in Symbian OS – a mobile operating system which powered Nokia mobile phones.”
Additional analysis showed that this file was able to send itself to another phone via Bluetooth. As a consequence; the battery of the infected phone drained extremely quickly. This was the only function of the malware discovered of late and it was barely malicious.
Nevertheless, its ability to send itself to further mobile phones literally forced Kaspersky Lab experts to build a special testing room for exploring the possibilities of such threats.
“Our colleagues from neighboring offices started to come in complaining that some kind of ’virus’ was infecting their phones. As a result, we decided to equip a room with a special covering to prevent any radio signal from leaving it. This room then served as a special place to conduct tests on new mobile malware samples,” informed Gostev.
Likewise in the code of Cabir malware, experts found mentions of “29A” – a group of malware writers notorious for developing so-called conceptual viruses or viruses that were developed in order to demonstrate the vulnerability of a particular computer subsystem, or to make evident the possibility of infecting certain systems or devices.
“This group was known for developing malicious software that made a lot of noise in the cyber security world. Cap, Steam, Rugrat – all these infamous pieces of malware were developed by 29A,” Gostev took note.
Together with developing conceptual malware, 29A regularly issued its own e-magazine. In one edition, 29A had published the worm itself and some fragments of its source code. That article, which showed that malware could be created to target one of the most popular mobile platforms in the world, caused a massive stir in the cyber security scene at that time. It also encouraged other virus writers to be able to develop this idea further.
Shortly after the publication of the worm in 29A’s magazine, all manner of Cabir modifications appeared on the Web.
“Cabir was just a beginning, a starting point. Soon after we discovered it, we saw clearly that mobile threats are a very serious problem which needs a very special approach. In response, we established a whole new research division within Kaspersky Lab that was fully dedicated to mobile threats,” stated Alexander Gostev.
For his speed and accuracy in analysis, Roman Kuzmenko won not only the honor of being the analyst who discovered the very first mobile malware sample, but also a Nokia smartphone – to be able to catch and analyze further new viruses, his colleagues joshed.
After Cabir, a few hundred different viruses targeting Symbian devices were discovered. The number of fresh malware samples for this platform started to plummet quickly after the establishment of new mobile operating systems, as for instance Android, which grew to be more prevalent and hence more paved the way for money-spinning on behalf of cybercriminals. Ten years following the detection of Cabir, Kaspersky Lab’s collection of mobile malware contains more than 340,000 of exclusive samples, with more than 99% directed at Android.