July 23rd, 2009
The future of mobile malware - digitally signed by Symbian?
Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian’s mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset.
Upon notification, the Symbian Foundation quickly revoked the certificate used by the bogus Chinese company XinZhongLi TianJin Co. Ltd, however, due to the fact the revocation check is turned off by default, the effect of the revocation remains questionable.
What are the chances that future malware authors could bypass the code signing procedure again?
Before answering the question, it’s worth pointing out how they manage to do it in the first place. According to F-Secure, the authors of SYMBOS_YXES.B seem to have digitally signed their malware by using the Express Signing procedure, taking advantage of the lack of human inspection. Another variant of the malware was also digitally signed in February.
The missing human inspection, instead of the total reliance on mobile antivirus scanner, could have prevented the signing of the malware, since the malware authors didn’t even bother to create a fake company page on the Internet in an attempt to improve their legitimacy. For instance, none of the previously used Chinese company names (XiaMen Jinlonghuatian Technology Co. Ltd., ShenZhen ChenGuangWuXian Tech. Co. Ltd. and XinZhongLi TianJin Co. Ltd.) have any public reference.
And while the mobile malware campaign is not necessarily widespread, it remains active, with the malware domain SMS-ed still online, and hosted by the U.S based Global Net Access (GNAX), which hasn’t responded to abuse notifications throughout the past 30 days.
The Symbian Foundation is investigation how they can improve the signing procedure, and detect malware before they issue yet another certificate to its authors. Over 2000 applications go through the signing process each month.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
