A week after Mcafee Avert Labs found WinCE/InfoJack, we’ve run across more malware in China. This time the malware, running on Symbian Series 60 phones, attempts to extort money from users. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.
The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”
QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams. QQ coins, an in-network currency, are also heavily used, traded and stolen outside the QQ network. We’ve covered how theft of QQ coins is prosecuted in the past.
SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission.
On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:
- SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
- SymbOS/SmsSend.G forwards SMS received to the malware author
- SymbOS/Kiazha.A deletes any sent or received SMS message
Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.
Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.
The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.