Mobile malware to steal photos from your phone

Posted by SmsMyCustomers FSecure on 16/Aug/2011 in Security Alert Log, Trojans | Comments Off

A good deal of this year’s mobile malware was developed in China. And Chinese mobile malware tends to include stuff such as backdoors, password stealers and spy tools.

Knowing that Chinese malware likes to spy, we’ve been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmailing.

We didn’t have to look for long. A member our Threat Response team just found something interesting in a Symbian malware sample.

Here are our analyst’s notes

The code of Trojan:SymbOS/Spinilog.A (md5: b346043b4efb1e9834a87dce44d6d433) includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone’s memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won’t yet steal your photos, it’s clear which direction we’re headed to.

On Android threats Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D.

Posted by SmsMyCustomers FSecure on 15/Jul/2011 in Security Alert Log, Trojans | Comments Off

The following is an excellent writeup on a new Android spyware app and trojan (Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D) that are doing the rounds. The article comes from the fantastic guys and girls over at F-Secure.

Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps.

The earlier versions didn’t ask for anything other than Internet access

(more…)

SMS Harvesting Mobile Virus Targeting Banks

Posted by admin on 5/Oct/2010 in Security Alert Log, Trojans | 0 comments

I came across an interesting article this morning on the SC Magazine web site this morning so I thought I’d share a brief excerpt and a link to the full article.

Bank log-in details could be targeted, say security experts.

Security experts are warning of a variant of the Zeus banking trojan that attacks mobile phones and can bypass the two-stage verification system used by some banks.

Zeus Mitmo is previously unknown malware that is designed to intercept the confirmation SMS sent out by some banks as part of the online log-in process, according to Spanish security company S21sec.

Read the full article on the SC Magazine web site.

Trojan SMS Virus Found on Android Handsets

Posted by admin on 25/Sep/2010 in Security Alert Log, Trojans | 0 comments

Kaspersky Labs has found one of the first Trojan SMS viruses attacking Android handsets. Kaspersky Labs is a provider of leading antivirus products. Kaspersky has previously found viruses in Google adsense and many other places.

The trojan SMS virus prompts Android users to install a fake media player application with the standard Android extension *.apk – a fake player disguised as a media player is in fact a Trojan virus built for Android handsets.

Once you install this small Android app which is only about 13kb it immediately starts sending SMS text messages to premium numbers without the knowledge of the user. Unfortunately the users will not know about the existence of the virus until they check their mobile bill.

Android OS is one of the highest growing mobile operating system by Google. There were previous cases of spyware installed in Android OS based handsets.

Trojan SymbOS/MerogoSMS Worms

Posted by admin on 5/Apr/2010 in Security Alert Log, Trojans | 0 comments

Known as Trojan SymbOS/MerogoSMS worms are currently attempting to spread on Symbian Series 60 3rd Edition devices. Symbian is the most common smartphone operating system in use.

They spread by sending text messages to other phones. The SMS contains a variable message in Chinese with a link to a web site. If  followed the user is prompted to install an application thereby infecting the phone and restarting the whole process of propagation via SMS. These worms appear to have the capability of sending messages to expensive premium-rate numbers.

Here’s the Clever Bit

As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default the installation package for this worm has indeed gone through the Symbian Signing process. According to sources they were submitted using Symbians express signing mechanism. The signed installation files contain additional unsigned SISX files which the host installer deploys. this type of mechanism makes it hard for certification systems to get a complete understanding of what the program being signed really does.

Does Symbian Revoking the Publisher ID Fix the Problem for Everyone?

Symbian Foundation has revoked the publisher ID that was allocated for these packages. But does that automatically fix the problem? No. Another step is needed.

Usually S60 phones are not configured by default to check for certification revocation. This is understandable. If hardware vendors were configuring phones to make data connections by default it would customer service nightmares for the carriers. Hardware vendors just can’t assume that customers will buy data plans so the certification check is off by default.

If you have an S60 phone and a data plan then you should adjust your Application Manager settings as shown below.

Analysis of the iKee.B (Duh) iPhone Botnet

Posted by admin on 22/Dec/2009 in Security Alert Log, Trojans | 0 comments

An excellent technical report on the Ikee.B botnet that replicates on jailbroken iPhone devices has been put out by SRI International.

The following is an abstract of the report,

We present an analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009. The bot client was released throughout several countries in Europe, with the initial purpose of coordinating its infected iPhones via a Lithuanian botnet server.  This report details the logic and function of iKee’s scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation.  The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Click here to view the full report

InformationWeek Have Posted an Excellent Article Titled “Strong Authentication Not Strong Enough”

Posted by admin on 18/Dec/2009 in In The News, Security Alert Log, Trojans | 0 comments

I was browsing through my RSS feeds this morning and came across an excellent article from InformationWeek.

The contents of the article give a clear indication that the normal internet based channels currently used for internet banking on PC’s and more commonly on mobile devices just don’t hack it when it comes to the overall security model. I’m thinking strongly that an implementation that includes SecureSMS as both authentication and content delivery mechanisms might prove to be the best way to go.

Here is a brief excerpt from the article,

Two-factor authentication — used to protect online bank accounts with both a password and a computer-generated one-time passcode — is supposed to be more secure than relying on a single password.

But Gartner Research VP Avivah Litan warns that cyber criminals have had success defeating two-factor authentication systems in Web browsing sessions using Trojan-based man-in-the-middle attacks.

To view the full article as posted by InformationWeek click here.

Brand New iPhone Worm – This One Attempts to Steal Information from the Mobile Device

Posted by admin on 1/Dec/2009 in Security Alert Log, Trojans | 0 comments

There’s another new worm with botnet functionality hunting for jailbroken iPhones.

This new worm only affects Jailbroken iPhones that have SSH installed and who’s owners have not yet changed the iPhone default password. This worm connects via a web based command & control center at 92.61.38.16, somewhere in deepest darkest Lithuania.

Fortunately at this point in time the worm is not widespread. It is however much more serious than the first iPhone worm. This new iPhone worm attempts to steal information from the mobile devices.

New Symbian trojan that drops Commwarrior.B and disables the phone

Posted by admin on 5/Jun/2009 in Trojans | 0 comments

Another article from the security pros at F-Secure outlines another Symbian trojan, Doomboot.A. Doomboot.A pretends to be a pirate copied Symbian game. People who don’t download and install pirate copied games or applications are safe from nasty surprises, but lots of people do. (more…)

Symbian trojan that locks your mobile phones MMC card

Posted by admin on 5/Jun/2009 in Trojans | 0 comments

F-Secure have a post that goes back nearly four years outlining the first known trojan to attack phones MMC card. SymbOS/Cardblock.A is a Symbian trojan that used a phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself. (more…)