SYMBOS_FLOCK.I – Where Does It Come From?

Yesterday we blogged about a new piece of Symbian malware, which we detected as SYMBOS_FLOCK.I. This malware targets users of older Series 60 devices.

Overall, the malware itself is very simple in its operation. It first prompts the user to install an application called ZvirOK 5.2!. The name here suggested there are previous versions of this malware in existence (that, or it took the malware writer at least 5 attempts to get it right). Alternatively, the malware author wanted us to think that this is a legitimate application, and added the version number to make it appear as such.

Another interesting fact here is that the word Zvirok (Зверёк) roughly translates from Russian as “small animal”, which can sometimes be used as a nickname—indicating that this malware is of Russian origin. However, the Symbian Installer package (the .SIS file) specified the language of the application as PRC Chinese, which leads to confusion from where this malware really came from.

After installation, the malware executes a very simple Python script which uses some of Nokia Python libraries to send an SMS containing the text mumym xxx joker90 to the number 7205. The number 7205 is what is known as an SMS Short Code, a special shortened phone number for SMS or MMS messages that is normally used for competitions and marketing and can often be quite expensive to use. The malware does not spread itself in any way.

The number of digits in SMS shortcodes varies from country to country – for example in the US it is normally 5 or 6 digits, whereas in the UK it is fixed at 5 digits and begins with either a 6 or 8. Unfortunately both China and Russia both use 4 digit SMS shortcodes – so there is no further hint here on the origin of this malware.

The last clue perhaps is in the SMS content itself. Its highly likely that the phrase Joker90 refers to a particular model of scooter from Honda. Perhaps this SMS shortcode is used to enter a competion to win one of these scooters. If that is the case, I’m leaning towards China as the source of this malware, as scooters are more popular in China than in Russia, generally speaking.

Regardless of the source however, this will not be the last of these types of malware that we see in the future. Creating these malware is fairly trivial, and there is also a modest amount of money to be made. It is doubtful that any major cybercriminal will be packing up their botnets and moving to mobile malware anytime soon, but it continues to be used as an introduction to crime for the attackers on the first steps of the cybercrime ladder.