The very first mobile malware: how Kaspersky Lab discovered Cabir

16 Jun 2014
Virus News

Ten years ago, Kaspersky Lab reported the discovery of Cabir – the first ever worm designed to attack mobile phones. Unlike most modern malware samples, Cabir wasn’t equipped with a wide range of malicious functions. Instead it made history by proving that it was possible to infect mobile phones.

Kaspersky Lab experts first encountered Cabir at the beginning of June 2004. One of the company’s virus analysts was just ending his shift and handing over to a colleague, when he noticed an email with no text but with an attachment. The attachment was suspicious: it was a file, but a quick analysis couldn’t determine the software platform it was written for. It definitely wasn’t designed for Windows or Linux, the platforms that Kaspersky Lab analysts usually worked with.

“Roman Kuzmenko was working the night shift that night,” Alexander Gostev, Chief Security Expert at Kaspersky Lab recalls. “He stood out among other analysts who worked at Kaspersky Lab at that time because of his ability to analyze complicated threats fast and accurately. Pretty soon after he started looking at that suspicious file, Roman discovered that it was written to execute in Symbian OS – a mobile operating system which powered Nokia mobile phones,” Gostev adds.

Further analysis showed that this file was able to send itself to another phone via Bluetooth. As a result the battery of the infected phone drained extremely quickly. This was the only function of the newly discovered malware and it was hardly malicious. However, its ability to send itself to other mobile phones forced Kaspersky Lab experts to build a special testing room for analyzing such threats.

“Our colleagues from neighboring offices started to come in complaining that some kind of ’virus’ was infecting their phones. As a result, we decided to equip a room with a special covering to prevent any radio signal from leaving it. This room then served as a special place to conduct tests on new mobile malware samples,” said Gostev.
Also in the code of Cabir malware, experts found mentions of “29A” – a group of malware writers notorious for developing so-called conceptual viruses or viruses that were developed in order to prove the vulnerability of a particular computer subsystem, or to demonstrate the possibility of infecting certain systems or devices.

“This group was known for developing malicious software that made a lot of noise in the cyber security world. Cap, Steam, Rugrat – all these infamous pieces of malware were developed by 29A,” Gostev notes.

Along with developing conceptual malware, 29A regularly issued its own e-magazine. In one edition, 29A had published the worm itself and some fragments of its source code. That article, which proved that malware could be created to target one of the most popular mobile platforms in the world, caused a huge stir in cyber security at that time. It also stimulated other virus writers to develop this idea further. 

Soon after the publication of the worm in 29A’s magazine, all manner of Cabir modifications appeared on the Web.

“Cabir was just a beginning, a starting point. Soon after we discovered it, we saw clearly that mobile threats are a very serious problem which needs a very special approach. In response, we established a whole new research division within Kaspersky Lab that was fully dedicated to mobile threats,” said Alexander Gostev.

For his speed and accuracy in analysis, Roman Kuzmenko earned not only  the honor of being the analyst who discovered the very first mobile malware sample, but also a Nokia smartphone – to catch and analyze more new viruses, his colleagues joked.

After Cabir, a few hundred different viruses targeting Symbian devices were discovered. The number of new malware samples for this platform started to decline rapidly after the establishment of  new mobile operating systems, such as Android, which grew to be more widespread and thus more lucrative for cybercriminals.  Ten years after the discovery of Cabir, Kaspersky Lab’s collection of mobile malware contains more than 340,000 of unique samples, with more than 99% targeting Android.

More details about how Cabir was discovered, how it got its name, the epidemic it provoked and the impact that it made on the cyber security industry can be found in a blog post by Eugene Kaspersky.

To see how mobile malware has evolved during the last ten years please check a special Kaspersky Lab Infographic.

© 1997 – 2014 Kaspersky Lab

All Rights Reserved. Industry-leading Antivirus Software