Computer Security Research - McAfee Labs Blog

We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.

This entry was posted on Wednesday, December 6th, 2006 at 01:48 and is filed under Mobile Security Research. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Chris Mosby at myITforum.com : McAfee Avert Labs Blog - Want spies with that? Says:
December 6th, 2006 at 06:48

[...] Trackback [...]

CALVIN Says:
December 8th, 2006 at 19:16

Nowadays, malware creator seems to be more sophisticated in creating “Rainbow” malware. In the past, they learnt from experience and eventually created dangerous or destructive malware. With Symbian OS Smartphones getting popular, opportunities for malware creator rise correspondingly.

The thing that I worried the most is, “Mobile Wallets” technology is being used widely in Malaysia. This will result in more payment solutions can be done using mobile phones. Interestingly, private data also keep flowing into mobile network. As always, when there’s money or private data, hackers will always try their best to “dig” out those confidential information.

Smartphone spyware seems to be harmful, especially to those who always use their mobile phone to do online banking. As always, I would like to emphasize on “Prevention is better than cure”. User should practice some security measures to protect themselves about latest mobile threats. Preferably, I would like to secure my phone with an extra shield, i.e. having an anti-virus in my phone system.

Securityblog - Blog sulla sicurezza informatica » Mcafee segnala MultiDropper.CG, il primo esempio di malware che contiene lo spyware mobile SymbOS/Mobispy Says:
December 11th, 2006 at 07:09

[...] Maggiori informazioni sono disponibili presso il Blog di McAfee AVERT Labs a questo indirizzo: http://www.avertlabs.com/research/blog/?p=145 [...]

Computer Security Research - McAfee Avert Labs Blog Says:
December 13th, 2006 at 14:48

[...] Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware. [...]

Data Thieves Drop In On Your Phone : Cobit Expert Says:
February 17th, 2007 at 09:11

[...] We can add criminal threats to data safety on mobiles, not that we could not already. McAfee researcher Jimmy Shah documented the presence of an attempt to marry spyware with software like the MultiDropper series plaguing users of Symbian-based (as in Nokia and others) mobile devices: [...]

Computer Security Research - McAfee Avert Labs Blog Says:
February 27th, 2007 at 03:31

[...] Avoid installing unknown or untrusted software (for all types of phones), which are sometimes used to install snoopware. [...]

How do you intercept someone else’s SMS? « Conspiracy Point Infosec News Says:
March 9th, 2007 at 23:15

[...] Along with commercial mobile phone spyware, predictions of mobile malware surges (was last year really ‘the year’ of mobile malware?), SMS phishing, the FBI being a little sneaky with mobile phone microphones and using mobile devices for banking, it seems that those raising the alarm on these threats early like F-Secure will look fairly wise in hindsight. [...]

Computer Security Research - McAfee Avert Labs Blog Says:
March 4th, 2008 at 05:23

[...] SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission. [...]

damion Says:
April 29th, 2009 at 20:27

i have a virus or trogan and some parts cant be removed so i need to know what to do next plz. The virus is called (generic PUP.x) i have mcafee but dont know waht to do. Thanks

janice Says:
May 15th, 2009 at 07:58

( GENERIC PUP.X ) HAS SHOWN UP ON MY COMPUTER

I HAVE TRIED TO DELETE BUT SAYS IT CANNOT BE REMOVED COMPLETELY.

THIS IS A BRAND NEW LABTOP BOUGHT SINCE JANUARY AND LESS THAN A MONTH THIS HAPPENS

(I USE THAT JUNK CALLED MCAFEE) A MONEY MAKING PRODUCT BUT DOES NOT PROTECT YOUR COMPUTER WHEN UNKNOWN DOWNLOADS POSES TREAT’S
IT SHOULD BE TAKEN OFF THE MARKET BECAUSE YOU ARE WORKING ON YOUR COMPUTER AND UNKNOWN TO YOU THE PROGRAMS LIFT THE BAR OF SECURITY UNKNOWING TO YOU AND LEFT YOU VULNERABLE FOR THIS VIRUS. ITS NOT UNTIL YOU CHECK THE SECURITY LEVEL OF YOUR COMPUTER OR SCAN OT BEFORE YOU WILL RECOGNIZED THIS

Linda Says:
June 5th, 2009 at 13:29

I can not r3move from my coumper it said connot be completely. I need to go to spyware-reseatch@avertlabs.com ( Subject line: “Mas content”) in a Zip file must be no larger than 3 MB. okay what can I do? come back and help me please

willie Says:
October 30th, 2009 at 07:36

i have unwanted adware on my computer and cant remove it .and artemis!21c5d4a2e4eb.and cant remove it eather.can u help? its a ‘mas content’ in a zip file on my computer.

Jackie Aron Says:
November 20th, 2009 at 11:50

I have unwanted adware on my computer.It can’t be completely removed. I tried to unistall the ioio mechanic program off the computer, but its still here when I run a scan…that’s where my virus is. So McAfee said to go to spyware_research@avertlabs.com put in (subject line “MAS Content in a .Zip file”) And put in a password infected but how do I do that? Please help…thanks

connie Says:
January 24th, 2010 at 05:32

I have an unwanted spyware on my computer, Macafee says it can not completely remove it. Can you help me? Thank You.

Want spies with that?

14 Responses to “Want spies with that?”

Leave a Reply

Archives

Categories