14 DAY TRIAL // Researchers from various security firms have discovered a new mobile threat that targets Symbian phones. The worm features a signed Symbian certificate and propagates by sending malicious links via SMS to all numbers in a phone’s memory.
F-Secure's Antivirus Research and Response team notes that this new threat, which it identifies as Trojan:SymbOS/Yxe.A, is rather new in nature for the S60 3rd Edition platform. “This is something we don't see very often. There are spy tools and other privacy threats directed at S60 3rd Edition phones, but malware is still mainly an issue on S60 2nd Edition phones,” the team says.
F-Secure characterizes this mobile malware as a Trojan because of its data stealing capabilities and the social engineering techniques employed by its creators. The malicious application is signed with a certificate that Symbian accepts, thus avoiding arising suspicions from the users.
After installation, the program gathers phone identification information such as the type, IMEI and IMSI numbers and submits them to a remote server. F-Secure published a more detailed analysis of its playload and features, according to which it seems that the application originated in China.
Security research company Fortinet also released an advisory about this new mobile malware. However, the Fortinet researchers classified it as a worm and named it SymbOS/Yxes.A!worm because of its propagation techniques. The worming is achieved by gathering all phone numbers stored on the device, then constantly trying to send a malicious SMS to them. The message contains a link, which, when visited, downloads the malware onto new devices.
With the appearance of this worm, the concept of mobile botnets is not just theory anymore, as Guillaume Lovet, senior manager of Fortinet's Threat Research Team explains. “As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We're really at the edge of a mobile botnet here," he warns.
The malware attempts to hide its traces by running under the process name of "EConServer.exe," a twist on the name of the legit "EComServer.exe" application. If the Symbian Application Manager is available, the worm can simply be uninstalled as any other piece of software. However, this might not be the case, as it attempts to kill the AppMngr process along with others that might be used to identify it, such as ActiveFile, TaskMan, TaskSpy or Y-Tasks.
This is the second serious mobile threat that we have reported this year, along with the credit stealing Trojan-SMS.Python.Flocker discovered by Kaspersky Labs and its later variant for the J2ME platform, called Trojan-SMS.J2ME.GameSat.a.