A Cyber Criminal’s Nostalgia: The Selfmite Worm Explained

By   ISBuzz Team
Writer , Information Security Buzz | Dec 11, 2014 05:03 pm PST

The SMS worm that attacks Android devices is back on the slither and is more aggressive than ever before. The new virus is already known to have wormed its way into more than a dozen countries and is actively sending potentially thousands of messages from infected devices.

To help fight back against this version of Selfmite, it is important to know what the world is up against.

A spring uprising

The Selfmite worm was first spotted back in May/June. IT security management research teams to some degree succeeded in disrupting its embryonic distribution, but it continued to spread.

A tricky system, it is sent through the Android network through text messages, sending active links to a nefarious Android Package (APK). Its overall impact varied but was always significant.

An autumn dawn

The latest version is a much more aggressive affair, albeit it functions along the same lines as it did before. Now popularly referred to as “Selfmite.b,” the rogue links to the APK are still sent through text messages, but rather than selecting the top 20 entries in a device’s address book, it attacks the full contact list available in an infected device.

The way it delivers its infection is also different. Whereas the first version of the Selfmite worm operated through shortened “goo.gl” URLs, the new version uses Go Daddy’s shortening service and possibly others.

Featured Download: Social media access at work. Do your employees know the rules?

The first worm was stopped in its burrows by Google stepping in and taking action. The use of the Go Daddy x.co service is harder to prevent because of the use of a third-party server. Meanwhile, Google service used its own, much more controllable, servers.

A number of people working in high level information governance jobs have suggested that in just 10 days, the b version of Selfmite could have sent as many as 150,000 infected text messages. That is from the analysis of just 100 infected Android devices, but the data still suggests that Selfmite.b is around 100 times more effective than its predecessor.

The geographical reach of the latest version of Seflmite is also far greater than that achieved by Selfmite.a. That was limited, by and large, to vulnerable devices across North America. Selfmite.b, meanwhile, has already claimed victims in 16 countries, including China, India and Russia.

A winter freeze

Go Daddy has taken action over the way Selfmite.b is being delivered, but though those shortened URLs may have been disrupted, it is just the start. With the authors of the worm able to adapt the configuration remotely, the entire process of infection is extremely dynamic.

Ongoing analysis by online security firms and those working in IT risk jobs have suggested that the ultimate goal of Selfmite.b is to be a cash generator and not an attacker that threatens firms and organisations.

It also seems to be using pay-per-install programs promoted by a number of apps. This reliance on action having to be taken by users is limiting its impact and range, though educating all business and consumer Android device users is a must for anyone working in cyber security.

About Acumin
acuminAcumin is an international Information Security and Information Risk Management recruitment specialist. The company works with a variety of markets comprising of End Users, IT Security Vendors, Systems Integrators and Consultancies.

Acumin provides a range of specialist services which include contingency Permanent Recruitment, Contract Recruitment and retained Executive Search. For SMB and Enterprise End User clients, Acumin facilitates the development of internal Information Security and Risk Management teams across the UK, Europe and United States.