Trojan SymbOS/MerogoSMS Worms

Known as Trojan SymbOS/MerogoSMS worms are currently attempting to spread on Symbian Series 60 3rd Edition devices. Symbian is the most common smartphone operating system in use.

They spread by sending text messages to other phones. The SMS contains a variable message in Chinese with a link to a web site. If  followed the user is prompted to install an application thereby infecting the phone and restarting the whole process of propagation via SMS. These worms appear to have the capability of sending messages to expensive premium-rate numbers.

Here’s the Clever Bit

As unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default the installation package for this worm has indeed gone through the Symbian Signing process. According to sources they were submitted using Symbians express signing mechanism. The signed installation files contain additional unsigned SISX files which the host installer deploys. this type of mechanism makes it hard for certification systems to get a complete understanding of what the program being signed really does.

Does Symbian Revoking the Publisher ID Fix the Problem for Everyone?

Symbian Foundation has revoked the publisher ID that was allocated for these packages. But does that automatically fix the problem? No. Another step is needed.

Usually S60 phones are not configured by default to check for certification revocation. This is understandable. If hardware vendors were configuring phones to make data connections by default it would customer service nightmares for the carriers. Hardware vendors just can’t assume that customers will buy data plans so the certification check is off by default.

If you have an S60 phone and a data plan then you should adjust your Application Manager settings as shown below.