Over the Easter weekend, there were stories coming out of China about a ‘virus’ called ‘MMS Bomber’ that was running rampant through Chinese smartphones.  Conservative estimates put the infection rate at 100’s of thousands to possibly more than a million devices were affected by the virus that appeared to be spreading over MMS.

Proper analysis of the malware in question revealed that a multitude of Chinese users had been affected by a new variant, Yxe.e, of the Worm.SymbOS.Yxe family of worms.  The Yxe worm is widely known to be the very first malicious program that was able to infect Symbian S60 3rd Edition devices that also had a valid digital signature.  Yxe.e’s predecessors (Yxe.a – Yxe.d) had the following functionality:

• Spread via SMS messages which contained a link to the worm
• Used social engineering in order to trick victims
• Harvested data about the smartphone from the device
• Sent the harvested data to a cybercriminal server
• Attempted to terminate third party applications designed for working with the smartphone’s file system or with active applications

Yxe.e adds in the following additional capabilities:

• Sends MMS messages containing a link to itself, and, attached, a black and white skull and crossbones image (Skuller, a Trojan which first appeared in 2004, also used a skull and crossbones)
• Connects to a Chinese social networking site
• Downloads files
• Block the smartphone’s Software Manager, making it more difficult to delete the malware

The Yxe.e worm currently spreads via MMS that includes social engineering as the means to trick the user into following a link to a website that will allow them to download and install the malicious program. Once the malicious application is installed on the victim’s device, Yxe.e automatically begins harvesting information about the device and sends it off to a server that is controlled by criminals, via SMS. Yxe.e will then attempt to stop several processes on the Symbian device that could assist the victim in identifying the malicious nature and/or from uninstalling the malicious application. In an attempt to propagate itself, Yxe.e will then begin crafting and sending MMS messages to phone numbers in the device address book that contains the URL to download the malicious applications, all at a cost to the user of the infected device. Yxe.e is also known to attempt to connect and spread itself via a Chinese social networking site.

It is believed that infections of the Yxe.e worm have been limited to devices operating within China. Symbian devices make up the largest percentage of smartphone devices in use outside of the U.S. However, Symbian devices make up merely a fraction of the market share of smartphones in the U.S. and North America.

As is the case with every malware threat that affects BlackBerry, iPhone and Android devices, the Yxe.e worm requires that the user manually install the malicious program, albeit under false pretenses. SMobile Security Shield currently provides detection and removal of this Symbian threat.