This week's been an interesting one in the world of mobile malware.
We detected three variants of a new Trojan for mobile phones.
Trojan-SMS.SymbOS.Viver uses an approach that was pioneered by
RedBrowser and Wesber, Trojans which first appeared last year.
Once these Trojans are installed, they'll send SMS messages to a
In contrast to RedBrowser and Wesber, which were the first
malicious programs for phones running Java, Viver is coded to run
on phones with Symbian, making it the first Trojan of this type
We've managed to establish how the Trojan is being spread, and
exactly how the scammers are making money from it. Not
surprisingly, the Trojan was uploaded to the file sharing section
of a very popular site for mobile users, and presented as being a
program users would want - a photo editor, a set of video codecs
etc. A tried and tested approach.
Once Viver's on the smartphone, it sends a message to a premium
rate short number. 177 roubles (almost $7) will be deducted from
the user's account. But how does the money get to the people who
put the Trojan up on the mobile site?
Mobile service providers offer short code numbers. They're too
expensive for individuals but content providers will sign up for
short numbers, and then effectively sublet them to anyone who's
interested. Users of shared short numbers will have a prefix, or
keyword, assigned to them, ensuring that the content provider can
assign payment for SMSs received to the correct user. In the case
of Viver, the number the Trojan sends its messages to was managed
by Infon, a major Russian content provider.
The 177 roubles that a user gets charged for the Viver SMS gets
split up, with between 45% - 49% going to the mobile operator,
approximately 10% to Infon, and the remainder to the person
renting the number from Infon.
We know that one of the Viver variants was downloaded by around
200 people in less than 24 hours. The Trojan was then deleted by
the site adminstration. Simple math tells us that if there are 200
victims, and an SMS costs 177 roubles, then the scammer could have
made 14,000 roubles (more than $500) in the space of a single day.
This month alone we've logged three similar incidents. We can
only guess how many more of these Trojans are out there, but one
thing is for sure - if there's money to be made, virus writers
won't be slow to take up the opportunity.