Signs of Smoke for .mobi

The author of a number of SymbOS/Appdisabler and SymbOS/MultiDropper variants has created a Wireless Application Protocol (WAP) site for the distribution of malware.

WAP sites are Web sites designed to be viewed by mobile phone Web browsers. The new .mobi Web domain was created to improve the mobile user experience and to give a boost to mobile Internet browsing (such as WAP sites).

The site currently offers two malware files for download. Fortunately the malware is not likely to spread as they are contained in password-protected ZIP files, and the malware author has not provided the password. By comparing the files with previously seen malware, we were able to determine that these files are SymbOS/Romsilly.B and SymbOS/Cardblock.A.

The use of Web sites to distribute mobile phone malware is not new. e10d0r, the author of the SymbOS/Commwarrior family, used Web sites as a distribution point for his creations.

Malware has also used Web sites to distribute itself to mobile phones. The VBS/Eliles family is notable for attempting to have phone users download Symbian malware from a Web site.

This WAP site eases the transfer of malware, as users no longer need a PC for downloading.

As seen in Europe and Asia, high-speed mobile data networks will further drive the creation of mobile Internet sites. This is the first mobile malware site designed to be accessed on mobiles. With the increase in mobile sites, we’re sure to see .mobi get its share of malicious sites.