It doesn’t happen that often altogether that mobile malware specifically come from France and propagate in France. It however seems to be the case this time for an Android malware named Foncy – not that there should be any national pride in creating malware.

Foncy has first been spotted by Denis Maslennikov. It is a dialer, i.e it sends SMS messages to premium numbers, without user’s consent. It does not spread by itself: victims are infected when they download and install the malware, likely from an alternate marketplace. They probably just wanted to try out an application, which happened to be the malware.

The application’s name (SuiConFo) – which is a French abbreviation for tracking mobile plans – immediately rang a bell in our French anti-virus labs. Since then, Karine de Ponteves and I, have been able to track information on this malware.

The malware looks like former versions of a legitimate application named Track Your Plan. The code and signing certificate bear however absolutely no similarity.

Contents of the legitimate plan tracking application

Contents of the malicious plan tracking application

 

 

In France, the malware sends 4 SMS to short number 81001, with body “STAR”. Each SMS costs 4.50 euros. The short number is a SMS+ number, rented to a French company, who in turn rents it to its customers and other intermediaries. Searching the web, we found several French users complaining about their bill and obviously infected by the malware.

Actually, the French short number 81001 seems to be involved in several scams. For example, an end-user below reports he received an e-mail telling him he had won an iPhone 4 and was being asked to send an SMS to 81001 with body “STAR”. The e-mail looks like it comes from a Fabrice Andre from Orange. Actually, a Fabrice Andre of Orange does exist, but certainly hasn’t sent this e-mail. The operator Orange is aware of this scam.

We also acknowledged a discussion on a French forum where a member was boasting about a new method to make easy money using 81001. He explained he opened a StarPass account (StarPass is a micro-payment system – via SMS), and then would ask his Facebook contacts to send a SMS to 81001.

 

 

 

 

 

 

For each 4.50 euro SMS received, StarPass pays back the author 2 euros.

 

 

 

 

 

 

Additionally, Android/Foncy listens to incoming responses from 81001 and forwards the answers by SMS to a French mobile number 06xxxxxxxx. This mobile number belongs to SFR, who has been notified.

French mobile phone subscribers should be particulary wary of abnormal SMS bills, as the short number 81001 and the mobile line 06xxxxxxxx are still active at the time of writing this blog, and Android/Foncy is still in the wild. End-users should complain to their operator and/or report any unsollicited spam to the French service 33700.

To this date, we do not know the amount of French victims, and will keep you informed.

– the Crypto Girl

 

In the AV industry, one of the golden rules is to make sure that, during analysis, we do not in any way help the malware authors and/or propagate their offspring.

This requires special care in the case of malware for mobile phones, because, on the one hand, many of them won’t run if the phone is offline, but on the other hand, if the phone is online, the malware is free to call or send SMS messages in the wild without any way to block those actions. So, we thought building our own local GSM operator, using a USRP coupled with a Linux box running OpenBTS and Asterisk.

 

 

 

 

 

Actually, this is what I presented at Virus Bulletin Conference [paper] [slides], in Barcelona, a few weeks ago. If you missed it, I also showed a video comparing how much we see when analyzing a Symbian sample of Zitmo on an offline phone and the same sample when the phone is registered to our OpenBTS-based jail. Without OpenBTS, there are quite a few details we could have missed, such as the use of UCS2 encoding for SMS messages…

– the Crypto Girl

Yes, you have probably heard the news: a new variant of Spitmo – Zitmo/ZeuS’s counterpart for SpyEye, which previously targeted Symbian phones only – has recently been spotted on Android. The scenario is the same as before: a victim, browsing on a PC infected with SpyEye, logs in her bank’s website. SpyEye injects forms and elements directly into the webpages she is viewing, so as to lure her into installing a fake security application on her phone, thinking it’s required by the bank. That application actually intercepts SMS messages – especially those carrying authentication codes.

If you are not familiar with Spitmo yet, it’s probably better you go and read Trusteer’s analysis first, as this post is focusing on a few details.

• How was the malware signed?
  It was signed using a test key publicly available from the CyanogenMod github repository. At least two other malware, Android/Netisend and Android/Pjapps use exactly the same certificate.
• Does it intercept all SMS?
  Like in Zitmo, Spitmo is capable of focusing only on some particular SMS messages it is interested in, for example those coming from your bank ;)
  This feature corresponds to a special entry in the malware’s XML configuration file: tels. Analysis I read don’t talk about this tag, but tels is designed to contain a list of originating phone numbers for which the malware should intercept SMS.
  The field is parsed by the code and each number is added to an array of numbers.
  If there are none (default situation), all SMS messages are intercepted.
• Intercepted SMS messages are sent via SMS or HTTP, huh?
  It’s the general idea, but more precisely the possibilities are:
  • 1: send via HTTP only
  • 2: send via HTTP then via SMS
  • otherwise: send via SMS only

  Most analysis say “2″ is for SMS but it also sends via HTTP, and forget to mention the third case. Not that it matters very much, but let’s just put it straight.

• Was the malware used for real?
  It’s always difficult to be sure, but my guess would be this is just an initial test. Indeed, the malware’s configuration file sets the phone number to send intercepted SMS to 123 (which obviously isn’t a real phone number). As there doesn’t seem to be any update mechanism for the malware yet, malware authors have no way to modify this default configuration. They probably intend to in future versions.
• Which countries are involved or targeted?
  The malware is downloadable from a Spanish web server, the SpyEye drop zones were registered by someone in Poland, the code contains localized strings for Russia… As usual, cybercriminals are cautious to cover their tracks! Any of these countries could be concerned … or other countries! We have no better clue for now.

– the Crypto Girl

References:

• Descriptions of Spitmo on Symbian and Android
• Descriptions of Zitmo on Symbian, Windows Mobile, Android and BlackBerry
• Other blog posts on Spitmo: Trusteer, F-Secure, McAffee

 

 

Tomorrow starts the quite famous – and ever sold-out – security conference Shmoocon, held in Washington DC until Sunday. The keynote this year will be filled by Peiter Mudge Zatko, inventor of L0phtcrack and early pioneer of buffer overflows.

Among the talks filling the tri-tracks program (Build it / Break it / Bring it on), we’re glad to find our Crypto Girl, Axelle, who will present a paper she co-wrote with Kyle Yang (another regular poster on this blog) on the infamous mobile phone malware Zitmo, that we discovered (simultaneously with Spanish company S21sec) and named last September.

Zitmo stands for “ZeuS in the Mobile”; this offspring of the gang behind the infamous banking credential theft kit named “ZeuS” has the interesting peculiarity of attacking so-called “mTAN” (mobile Transaction Authentication Number), which are sent as SMS messages by many banks to serve as a second authentication factor, when customers want to initiate a financial transaction online.

Axelle will elaborate on the details during the preso, so if you’re around, make sure you attend!

During the weekend, in our monitoring of the Zeus botnet, my colleague Kyle Yang stumbled upon an unexpected payload: a brand new mobile malware piece we named SymbOS/Zitmo.A!tr (Zitmo standing for “Zeus In The MObile”), likely aimed at intercepting confirmation SMS sent by banks to their customers. This also caught the eye of s21sec with a nice analysis you should read.

Basically, the ZeuS network initiated some social engineering operations (via injection of HTML forms in the victims’ browser) to get the phone number and phone model of its infected victims. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones etc).

This malicious package is still under investigation, but given the context, it is logical to believe it is aimed at defeating SMS-based two-factor authentication that most banks implement today to confirm transfers of funds initiated online by their end users, and that currently impedes the plunging of infected users’ online accounts by Zeus masters (Note: although it was possible before, with man-in-the-middle attacks, it required the victim to initiate a financial transfer in the first place).

On the technical side, this malware is not altogether that much ‘unexpected’ because, since SymbOS/Yxes, we always said somebody would use web servers to distribute platform-specific malware to victims. Yet, it is the first time we acknowledge the technique to be used by a real gang.

So far, we have seen that:

• the Symbian version is correctly signed, using the Express Signed program, once more. Symbian has been notified, but meanwhile, please beware this certificate hasn’t been revoked yet:

Serial Number: 61:f1:00:01:00:23:5b:c2:79:43:80:40:5e:52
C=AZ, ST=Baku, L=Baku, O=Mobil Secway, OU=certificate  1.00,
OU=Symbian Signed ContentID, CN=Mobil Secway

• the malware creates its own malicious database on the phone, where it stores all information it steals (contact first and last names for instance, phone numbers) and needs. This database is named NumbersDB.db, and contains 3 tables:
  • tbl_contact with 4 columns: index, name, descr, pb_contact_id.
  • tbl_phone_number with 2 columns: contact_id, phone_number
  • and tbl_history with 6 columns: event_id, pn_id, date, description, contact_info, contact_id.

  The malware searches those tables using standard SQL queries.

• the malware sends SMS messages. In particular, it sends a message to a phone number located in the United Kingdom to notify that the malware has been successfully installed (“App installed ok”).

  "27/09/2010","12:09","Short message","Outgoing","App installed ok","+44778xxxxxxx"
  (NOT SENT - OFFLINE)

  Additionally, as explained by s21sec, the malware seems to be able to answer to a few commands such as ‘set admin’, which might be particularly dangerous: anyone sending a “set admin” SMS to your infected phone may be able to take control of it. We’re of course investigating this, as well as the rest.

Please stay tuned for more information.

– the Crypto Girl