The future of mobile malware - digitally signed by Symbian?

The future of mobile malware - digitally signed by Symbian?

Summary: Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.

SHARE:
4

Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian's mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset.

Upon notification, the Symbian Foundation quickly revoked the certificate used by the bogus Chinese company XinZhongLi TianJin Co. Ltd, however, due to the fact the revocation check is turned off by default, the effect of the revocation remains questionable.

What are the chances that future malware authors could bypass the code signing procedure again?

Before answering the question, it's worth pointing out how they manage to do it in the first place. According to F-Secure, the authors of SYMBOS_YXES.B seem to have digitally signed their malware by using the Express Signing procedure, taking advantage of the lack of human inspection. Another variant of the malware was also digitally signed in February.

The missing human inspection, instead of the total reliance on mobile antivirus scanner, could have prevented the signing of the malware, since the malware authors didn't even bother to create a fake company page on the Internet in an attempt to improve their legitimacy. For instance, none of the previously used Chinese company names (XiaMen Jinlonghuatian Technology Co. Ltd., ShenZhen ChenGuangWuXian Tech. Co. Ltd. and XinZhongLi TianJin Co. Ltd.) have any public reference.

And while the mobile malware campaign is not necessarily widespread, it remains active, with the malware domain SMS-ed still online, and hosted by the U.S based Global Net Access (GNAX), which hasn't responded to abuse notifications throughout the past 30 days.

The Symbian Foundation is investigation how they can improve the signing procedure, and detect malware before they issue yet another certificate to its authors. Over 2000 applications go through the signing process each month.

Topics: Malware, Mobility, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Signed is not the same as safe

    As this incident clearly shows, signing of applications is not a guarantee of safety. A digital signature tells you that program has not been tampered with since it was signed and who signed it. It does not tell you that the creator had your best interests at heart nor does it tell you that the signer knows every byte of the application and what it will do. In the case of Symbian Signed applications there is also a security check but no check is perfect. Even if every application was checked by a human researcher mistakes would still happen. Humans are, after all, human.
    As my colleague at Sophos, Paul Ducklin, wrote strong authentication cannot eliminate fraud. http://www.sophos.com/security/technical-papers/phishing-and-fraud.pdf
    Signing is an identification technology, not a guarantee of security.
    richardwang
  • How are apps verified before signing?

    How does Symbian verify apps before they are signed? What's to prevent further malware being signed? If any app can get signed without verification upon payment of some fees, this process is worthless, and is just a money making scheme. In this case people would just go back to doing what we did earlier - get software from well known vendors and to heck with the signatures.
    kraterz
  • RE: The future of mobile malware - digitally signed by Symbian?

    Mobile threats adressed to Apple?s iPhone or Nokia?s N-series terminals

    Unlike regular mobile phones with pseudo-operating systems, intelligent mobile devices such as Apple?s iPhone or Nokia?s N-series terminals are still scarce, as they are too expensive for the average mobile telephony subscriber. Malware can damage platforms such as Windows Mobile and Symbian. These applications usually infect the host operating systems either via compromised binaries installed by the user, or by visiting a compromised web page through the phone?s browser.
    There are quite a large number of threats affecting smartphones: Trojans tampering with the system fonts, keyloggers, worms that spread from one system to another via Bluetooth or even SMS-sending applications.
    Initially one of the most targeted mobile platform for smatrphones, the Symbian operating system has been dramatically improved in terms of security; at the moment, it is extremely difficult for cyber-criminals to write malware affecting this mobile platform. For instance, older Symbian systems are still vulnerable to numerous threats, such as the fierce ?Curse of Silence?, a bug that could allow an attacker to render a user?s mobile phone useless by sending a specially-crafted text message.
    Windows Mobile is also extremely vulnerable to such security incidents. Given the fact that Symbian systems rank higher in terms of market share, so is the likelyhood of getting a Symbian bug. So yes, there are more electronic threats pestering Symbian systems than the Windows Mobile counterparts.
    However, when talking about mobile security, there is yet another aspect worth mentioning, namely scams targeting pre-pay subscribers. Scammers are usually sending messages to random numbers announcing the users that they had won consistent prizes in raffles. All they have to do is to type in a series of characters using their own mobile phone in order to validate their phone number. Few users are aware that the respective combination actually transfers credit points to other pre-pay accounts.
    Bluetooth is yet another technology giving mobile users headaches. Although easy to use and extremely reliable when it comes to data transfer between computer and spartphone or between two smartphones, many users leave the Bluetooth link enabled on their devices even when they are not using it. Since the pairing technology relies on a pre-shared, 4-digit code (which usually defaults to four zeroes), it?s easy for a ?hacker? to gain access inside the PDA and browse through the stored files at will.
    In order to stay safe, PDA users should take all the security measures they would adopt while using a fully fledged desktop or mobile computer. They should refrain from visiting suspicious URLs using their mobile browser, but the most important measure for ensuring a pleasant and hassle-free experience is to apply OS-related updates.
    Although the mobile world is still calm in terms of e-threats as compared to the onventional computing environment, the situation is likely to change as PDAs and smartphones are constantly gaining market share. And even if deploying a dedicated security solutions may seem a little too ?radical? for the average Joe or Jonny ;), always remember that your mobile digital world carries critical information both for the user and for the corporate environment.
    Only a few companies ofer security solution for mobile phones like Bitdefender for example is one of them.

    Be safe online
    j0nnysmith
  • RE: The future of mobile malware - digitally signed by Symbian?

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut