14 DAY TRIAL // After researchers discovered OpFake, a mobile trojan that shares code with the well-known Spitmo, a newcomer identified as SymbOS/ConBot was found having the same characteristics.
F-Secure specialists came across the premium SMS sender and determined that it has a pretty sophisticated way of functioning, but unlike OpFake, it doesn't rely on fake Opera updates to perform his evil missions.
Found on a Russian domain, the first and only known instance of ConBot relies on Spitmo's source code, but unlike OpFake, it doesn't add an icon to the application menu, which makes it harder to detect.
Since it doesn't alert the user of its presence in any way, researchers believe that it may be promoted as a “security certificate update.”
So how does it work?
ConBot.A contains a package called SystemService that includes another package called AppBot. The latter's executable file is run automatically each time the phone starts because of an .rsc file.
Once executed, it decrypts a file named SystemService.boot which points to c:\sys\bin\SystemService.exe, the file that actually contains the payload.
After collecting all the phone numbers it can find on the device, ConBot sends them, along with the phone's IMEI number, to a remote server hosted on the same Russian domain. In return, the server sends the infected machine an XML file that contains instructions on where to send the SMS messages.
Besides this, it also monitors closely all incoming messages, deleting some of them if certain conditions are met.
Even though this function is similar to Spitmo.A and OpFake.A, the certificate it signs itself with is not the same as the one used by OpFake.
An interesting thing about ConBot is that it can update the C&C serve with a text message, which means that if the command and control server falls, it doesn't necessarily mean that the botnet will do too.