We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.
The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).
MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.
SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.
Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.
It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:
- The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
- It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.
Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.
December 6th, 2006 at 6:48 am
[…] Trackback […]
December 8th, 2006 at 7:16 pm
Nowadays, malware creator seems to be more sophisticated in creating “Rainbow” malware. In the past, they learnt from experience and eventually created dangerous or destructive malware. With Symbian OS Smartphones getting popular, opportunities for malware creator rise correspondingly.
The thing that I worried the most is, “Mobile Wallets” technology is being used widely in Malaysia. This will result in more payment solutions can be done using mobile phones. Interestingly, private data also keep flowing into mobile network. As always, when there’s money or private data, hackers will always try their best to “dig” out those confidential information.
Smartphone spyware seems to be harmful, especially to those who always use their mobile phone to do online banking. As always, I would like to emphasize on “Prevention is better than cure”. User should practice some security measures to protect themselves about latest mobile threats. Preferably, I would like to secure my phone with an extra shield, i.e. having an anti-virus in my phone system.
December 11th, 2006 at 7:09 am
[…] Maggiori informazioni sono disponibili presso il Blog di McAfee AVERT Labs a questo indirizzo: http://www.avertlabs.com/research/blog/?p=145 […]
December 13th, 2006 at 2:48 pm
[…] Only last week we saw signs of malware authors integrating commercial spyware into their creations. This week we’ve run across the first evidence that malware writers are actively working on developing their own spyware. […]
February 17th, 2007 at 9:11 am
[…] We can add criminal threats to data safety on mobiles, not that we could not already. McAfee researcher Jimmy Shah documented the presence of an attempt to marry spyware with software like the MultiDropper series plaguing users of Symbian-based (as in Nokia and others) mobile devices: […]
February 27th, 2007 at 3:31 am
[…] Avoid installing unknown or untrusted software (for all types of phones), which are sometimes used to install snoopware. […]
March 9th, 2007 at 11:15 pm
[…] Along with commercial mobile phone spyware, predictions of mobile malware surges (was last year really ‘the year’ of mobile malware?), SMS phishing, the FBI being a little sneaky with mobile phone microphones and using mobile devices for banking, it seems that those raising the alarm on these threats early like F-Secure will look fairly wise in hindsight. […]
March 4th, 2008 at 5:23 am
[…] SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission. […]