SymbOS/Album Follows the Path of SymbOS/Yxes
Lately, I have been analyzing a sample of SymbOS/Album.A!tr, another advanced malware targeting mobile phones running Symbian OS 9 and greater.
First of all, once more, like SymbOS/Yxes, this malware was “legitimately” signed by Symbian’s Express Signed program. The certificate is now revoked:
Serial Number: c8:8e:00:01:00:23:db:45:38:bc:e7:2a:d3:03 Signature Algorithm: sha1WithRSAEncryption Issuer: C=GB, O=Symbian Limited, CN=Symbian CA I Validity Not Before: Nov 20 05:00:02 2009 GMT Not After : Nov 21 05:00:02 2019 GMT Subject: C=CN, ST=guangdong, L=shenzhen, O=Shenzhen ZhongXunTianCheng Technology Co.,Ltd., OU=PF_V100 1.0.0, OU=Symbian Signed ContentID, CN=Shenzhen ZhongXunTianCheng Technology Co.,Ltd.
Like SymbOS/Yxes, SymbOS/Album has the capability to silently send SMS messages. It does not do it the same way though: Yxes uses the RSendAs class, whereas Album uses a non-official Symbian API named EasyDgm API (Easy Datagram API). This API sends SMS messages via sockets. Check out the API’s source code for more details, but basically, this is how it works:
1. open a socket (RSocket) and select the SMS protocol: iSocket.Open(iSocketServer, KSMSAddrFamily, KSockDatagram, KSMSDatagramProtocol);
2. create a stream to write over that socket: RSmsSocketWriteStream writeStream(iSocket);
3. dump the SMS message in the stream: writeStream « smsMsg;
4. flush all remaining data in the stream: writeStream.CommitL();
SMS messages sent that way are not reported in the phone’s Sent message box, so they are ‘invisible’ to the user (but not to his/her future bill !). To see what’s happening, one must read the phone’s internal log file, c:\101f401d\logdbu.dat:
"28/06/2010","15:26","Short message","Outgoing","Not sent", "1*1#","10665xxx"... "28/06/2010","15:24","Short message","Outgoing","Not sent", "@id=200@V1.2.0@YOUR IMSI@3","13410252xxx"...
The log shows the malware tried to send 2 SMS messages, one to the phone number 10665xxx with text “11#” and the other one to 13410252xxx with a string containing the IMSI. Those SMS messages had no chance to make it to their recipient because they are only valid in China and I am not ;) (and, of course, I had checked manually in the disassembly what numbers the malware was likely to dial before trying !). Unfortunately, several Chinese users have been less lucky and have reported abnormal bill growth (see Figures 1 and 2).
Figure 1. Chinese user complaining his phone dialed 13410252xxx (text translated from Chinese)
Figure 2. Chinese user complaining about unexpected SMS messages to 10665xxx (text translated from Chinese)
The number 10665xxx is special. It corresponds to a service provider number, i.e a special number allocated by the operator to so-called “service providers”. In that case, the number was allocated by China Mobile to “Interactive Technology Co., Ltd. Shenzhen Creation”.
As for the number 13410252xxx, it corresponds to a personal GSM located in Shenzhen, in the Guangdong Province, and it is operated by China Mobile.
Figure 3. Locating number 13410252xxx (translated from Chinese)
Does that ring a bell? Look at the certificate at the top of this post:
C=CN, ST=guangdong, L=shenzhen
Yes, the certificate also belongs to an individual/company located in Shenzhen. No proof, but looks likely both belong to the same person. Note that the names “Interactive Technology Co” or “ZhongXunTianCheng” may be fake, or impersonated and hence may not correspond to the malware authors.
Thanks to NetQin for sharing this sample.
– the Crypto Girl