Malware descriptions

Viver unveiled

This week’s been an interesting one in the world of mobile malware. We detected three variants of a new Trojan for mobile phones. Trojan-SMS.SymbOS.Viver uses an approach that was pioneered by RedBrowser and Wesber, Trojans which first appeared last year. Once these Trojans are installed, they’ll send SMS messages to a premium number.

In contrast to RedBrowser and Wesber, which were the first malicious programs for phones running Java, Viver is coded to run on phones with Symbian, making it the first Trojan of this type for smartphones.

We’ve managed to establish how the Trojan is being spread, and exactly how the scammers are making money from it. Not surprisingly, the Trojan was uploaded to the file sharing section of a very popular site for mobile users, and presented as being a program users would want – a photo editor, a set of video codecs etc. A tried and tested approach.

Once Viver’s on the smartphone, it sends a message to a premium rate short number. 177 roubles (almost $7) will be deducted from the user’s account. But how does the money get to the people who put the Trojan up on the mobile site?

Mobile service providers offer short code numbers. They’re too expensive for individuals but content providers will sign up for short numbers, and then effectively sublet them to anyone who’s interested. Users of shared short numbers will have a prefix, or keyword, assigned to them, ensuring that the content provider can assign payment for SMSs received to the correct user. In the case of Viver, the number the Trojan sends its messages to was managed by Infon, a major Russian content provider.

The 177 roubles that a user gets charged for the Viver SMS gets split up, with between 45% – 49% going to the mobile operator, approximately 10% to Infon, and the remainder to the person renting the number from Infon.

We know that one of the Viver variants was downloaded by around 200 people in less than 24 hours. The Trojan was then deleted by the site adminstration. Simple math tells us that if there are 200 victims, and an SMS costs 177 roubles, then the scammer could have made 14,000 roubles (more than $500) in the space of a single day.

This month alone we’ve logged three similar incidents. We can only guess how many more of these Trojans are out there, but one thing is for sure – if there’s money to be made, virus writers won’t be slow to take up the opportunity.

Viver unveiled

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox