Knowing that Chinese malware likes to spy, we’ve been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmailing.

We didn’t have to look for long. A member our Threat Response team just found something interesting in a Symbian malware sample.

Here are our analyst’s notes

The code of Trojan:SymbOS/Spinilog.A (md5: b346043b4efb1e9834a87dce44d6d433) includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone’s memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won’t yet steal your photos, it’s clear which direction we’re headed to.

Android malware seems to be all the rage at the moment. Here’s a few comments on a couple interesting side issues we’ve been discussing as we’ve seen them crop up during analyses.

First up: there was a recent report on suspicious applications found the official Android Market. The apps in question have since been taken off the Market, but our threat hunting team still come across them in forums and other such locations, usually promoted as ‘free apps’.

The applications themselves appear to be straightforward games. At some point however, it looks like additional services were added to the apps.

The earlier versions didn’t ask for anything other than Internet access

However the later versions get a bit more personal than that:

With the changes, the app is able to access various bits of information from the device: the carrier and country, the device’s ID, e-mail address and phone number.

The information is sent out to a remote server

An additional twist this app pulls is that it includes a little icon that when clicked, leads the user to other apps which presumably, they might like to try. The apps being promoted also appear to show the same suspicious behavior.

What was interesting is that both the earlier ‘unremarkable’ and later ‘suspect’ versions of the app appear to be from the same developers:

 It appears to be a case of questionable new behaviors being added at a later date to an existing app, and not a repackaged app with foreign malicious routines added. We’re still looking into various aspects of this; for now, based on the observed behavior, we detect these applications as Spyware:Android/SndApps.A.

This case is interesting to us as we see it as an evolution in Android application development, specifically ‘greyware’. This kind of behavior seems to bear out one of our earlier predictions, where an ‘established’ developer would be able to push out an update containing suspicious/unwanted/unethical routines, which may invade the user’s privacy.

The newly added routines could include obtaining user information that can be used for other purposes, like sending marketing advertisements or spam. At worst, the details may be sold to a third party. We would have no way of knowing what is being done with the information.

In another case even more recently, we’ve been discussing the odd behavior of another reported Android app, this time a trojan.

It didn’t make sense that the trojan intercepted an SMS message and then reported it to a loopback address:

From our investigation, it seems like this app might be a test program. We detect this as Trojan:Android/SmsSpy.C.

However, one of our threat hunters did find a file (SHA1: 7d8004b107979e159b307a885638e46fdcd54586) that appears to be more useful:

 That looks more like the real deal. We detect this as Trojan:Android/SmsSpy.D.

I came across an interesting article this morning on the SC Magazine web site this morning so I thought I’d share a brief excerpt and a link to the full article.

Bank log-in details could be targeted, say security experts.

Security experts are warning of a variant of the Zeus banking trojan that attacks mobile phones and can bypass the two-stage verification system used by some banks.

Zeus Mitmo is previously unknown malware that is designed to intercept the confirmation SMS sent out by some banks as part of the online log-in process, according to Spanish security company S21sec.

Read the full article on the SC Magazine web site.

Kaspersky Labs has found one of the first Trojan SMS viruses attacking Android handsets. Kaspersky Labs is a provider of leading antivirus products. Kaspersky has previously found viruses in Google adsense and many other places.

The trojan SMS virus prompts Android users to install a fake media player application with the standard Android extension *.apk – a fake player disguised as a media player is in fact a Trojan virus built for Android handsets.

Once you install this small Android app which is only about 13kb it immediately starts sending SMS text messages to premium numbers without the knowledge of the user. Unfortunately the users will not know about the existence of the virus until they check their mobile bill.

Android OS is one of the highest growing mobile operating system by Google. There were previous cases of spyware installed in Android OS based handsets.

Known as Trojan SymbOS/MerogoSMS worms are currently attempting to spread on Symbian Series 60 3rd Edition devices. Symbian is the most common smartphone operating system in use.

They spread by sending text messages to other phones. The SMS contains a variable message in Chinese with a link to a web site. If  followed the user is prompted to install an application thereby infecting the phone and restarting the whole process of propagation via SMS. These worms appear to have the capability of sending messages to expensive premium-rate numbers.

Here’s the Clever Bit

As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default the installation package for this worm has indeed gone through the Symbian Signing process. According to sources they were submitted using Symbians express signing mechanism. The signed installation files contain additional unsigned SISX files which the host installer deploys. this type of mechanism makes it hard for certification systems to get a complete understanding of what the program being signed really does.

Does Symbian Revoking the Publisher ID Fix the Problem for Everyone?

Symbian Foundation has revoked the publisher ID that was allocated for these packages. But does that automatically fix the problem? No. Another step is needed.

Usually S60 phones are not configured by default to check for certification revocation. This is understandable. If hardware vendors were configuring phones to make data connections by default it would customer service nightmares for the carriers. Hardware vendors just can’t assume that customers will buy data plans so the certification check is off by default.

If you have an S60 phone and a data plan then you should adjust your Application Manager settings as shown below.

An excellent technical report on the Ikee.B botnet that replicates on jailbroken iPhone devices has been put out by SRI International.

The following is an abstract of the report,

We present an analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009. The bot client was released throughout several countries in Europe, with the initial purpose of coordinating its infected iPhones via a Lithuanian botnet server.  This report details the logic and function of iKee’s scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation.  The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Click here to view the full report

I was browsing through my RSS feeds this morning and came across an excellent article from InformationWeek.

The contents of the article give a clear indication that the normal internet based channels currently used for internet banking on PC’s and more commonly on mobile devices just don’t hack it when it comes to the overall security model. I’m thinking strongly that an implementation that includes SecureSMS as both authentication and content delivery mechanisms might prove to be the best way to go.

Here is a brief excerpt from the article,

Two-factor authentication — used to protect online bank accounts with both a password and a computer-generated one-time passcode — is supposed to be more secure than relying on a single password.

But Gartner Research VP Avivah Litan warns that cyber criminals have had success defeating two-factor authentication systems in Web browsing sessions using Trojan-based man-in-the-middle attacks.

To view the full article as posted by InformationWeek click here.

There’s another new worm with botnet functionality hunting for jailbroken iPhones.

This new worm only affects Jailbroken iPhones that have SSH installed and who’s owners have not yet changed the iPhone default password. This worm connects via a web based command & control center at 92.61.38.16, somewhere in deepest darkest Lithuania.

Fortunately at this point in time the worm is not widespread. It is however much more serious than the first iPhone worm. This new iPhone worm attempts to steal information from the mobile devices.

Another article from the security pros at F-Secure outlines another Symbian trojan, Doomboot.A. Doomboot.A pretends to be a pirate copied Symbian game. People who don’t download and install pirate copied games or applications are safe from nasty surprises, but lots of people do.

If the users phone runs out of battery or user switches off the phone, the phone can be recovered with a special hard format key combination. The actual phone hardware is not damaged by the trojan, but formatting the phone loses all data.

You can read the full blog post here.

F-Secure have a post that goes back nearly four years outlining the first known trojan to attack phones MMC card. SymbOS/Cardblock.A is a Symbian trojan that used a phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself.

It was and still is capable of deleting system directories and destroying information about installed applications, users MMS and SMS messages, phone numbers stored on the phone and other critical system data. It means that user loses access to applications he or she has installed into the phone including the phone number and other important data.