Despite Android’s dominance in the mobile threat landscape, the Symbian malware scene is far from dead. 21 new families and variants were discovered in the third quarter of 2012, a 17% increase compared to the second quarter.
A typical Symbian malware is a trojan that mimics a system update or a legitimate application. The object-capability model used in Symbian devices presents some loopholes that can be exploited. For example, the same set of capabilities required by a legitimate action game may be similar to that required by an application that can download and install new software from the Internet. A malware author can capitalize on these similar capabilities to present a malware as a harmless, coveted program that sneakily carries out its activities without arousing the user’s suspicion.
Most of the Symbian malware originates in China and are distributed for the purpose of making a profit. Most of these (for example, Fakepatch.A and Foliur.A) are involved in SMS-sending activities. The SMS messages are usually sent to premium rate numbers or those associated with SMS-based services. Malware authors and distributers can easily turn an infection into profit by taking advantage of a ‘built-in’ billing mechanism for these SMS services; the malware simply sends out SMS messages that silently sign up the device owner for a premium subscription service, incurring charges the user’s account.
Another profit-generating method involve the malware emulating a user’s behaviour and enabling WAP services on the device, which are then billed through the mobile service operator. These malware, such as PlugGamer.A, are capable of acting as scripted bots, silently playing a regular, albeit simple browser-based online game over the WAP service.
Despite the continuing activity on the Symbian malware scene, the Symbian platform itself saw a significant blow to its future, as Nokia confirmed in September that the once popular operating system has now been put in “maintenance mode”, with the only major update this year being a refresh or feature pack that was rolled out in August to certain devices running the current Nokia (formerly Symbian) Belle release.
Market-wise, shipment of Symbian smartphones reportedly fell by 62.9% in Q2 and Symbian now accounts for only 4.4% of the global smartphone market. Despite the lack of activity in platform development and use however, Symbian malware is still likely to be active for some time to come as many users, particularly in developing countries, continue to use existing Symbian-based handsets.
Source: F-Secure Mobile Threat Report Q3 2012.