Symbian malware and Internet Access Points

by Axelle Apvrille
November 4, 2010 at 7:46 am

An Internet Access Point, shortened IAP, is a “a collection of settings that define how a connection to a particular network is made” [1]. For example, it stores the Access Point Name (APN) for GPRS networks, the SSID for Wifi etc. On Symbian mobile phones, IAPs are stored in a table of the Communication Database.

In the SymbOS/Yxes worm (2009 / 2010), we had already seen the worm search through available IAPs on the mobile phone, select all outgoing WCDMA entries, add them to a list and silently use one of those to connect to Internet [2].

Since the beginning of summer 2010, we have also analyzed a bunch of malware that specifically looks for China Mobile’s IAP, and hence only fully work if the victim’s mobile phone is a China Mobile subscriber. This is the case of SymbOS/NMPlugin.A!tr, SymbOS/ShadowSrv.A!tr, SymbOS/Downsis.A!tr, SymbOS/Multidr.DC!tr, SymbOS/LinkHttp.A!tr …

For example, below, SymbOS/NMPlugin.A!tr parses all IAPs and counts those using cmwap (China Mobile WAP):

BL      GetAPNAndStuff ; returns the APN of an IAP
SUB     R0, R11, #apn
LDR     R1, =aCmwap     ; "cmwap"
BL      _ZN7TPtrC16C1EPKt ; TPtrC16::TPtrC16(ushort  const*)
SUB     R3, R11, #apn
SUB     R0, R11, #cmwapstring
MOV     R1, R3
BL      _ZNK7TDesC168CompareFERKS_ ; TDesC16::CompareF(TDesC16 const&)
CMP     R0, #0 ; compare the APN with "cmwap"
BNE     loc_1C358
...
loc_1C358
LDR     R3, [R11,#counter]
ADD     R3, R3, #1  ; increment counter if cmwap
STR     R3, [R11,#counter]

Even more sophisticated, we have now seen SymbOS/CReadMe.A!tr search the communication database for an IAP whose name is “CWAP(2)”, and if none are found, the malware adds China Mobile’s access points cmwap and cmnet.

Cmnet and cmwap access points addedDetails of the Cmwap access point added by the malware

Of course, this IAP can only be used if the victim’s phone has subscribed to China Mobile’s network. However, taking into account that end-users often have difficulties to configure their mobile phones to access Internet, this surely is a good idea for the malware to ensure its host is properly configured…

– the Crypto Girl

[1] I. Campbell, Symbian OS Communications Programming, 2nd edition, Ed. Wiley, 2007.

[2] See Appendix of A. Apvrille, Symbian Worm Yxes: Towards Mobile Botnets?, in Proceedings of the 19th EICAR Annual Conference, pp. 31-54, Paris, France, May 8-11, 2010

Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.

Mobile Malware Sends WAP Push SMS

by Axelle Apvrille
August 3, 2010 at 11:52 pm

I had already seen mobile malware SMS messages with a malicious URL inside (e.g SymbOS/Yxes), or MMS messages (e.g SymbOS/Album.A!tr, SymbOS/Beselo!worm…) with a malicious attachment. However I had never noticed a mobile malware piece sending a WAP Push SMS (special SMS messages typically used to send ringtones, wallpapers, OTA provisioning etc).

The recent SymbOS/NMPlugin.A!tr does all three ! It sends:

- an MMS, whose title is “Hello Skuller”, and contains an attachment named Sunset.jpg

- a SMS containing a short message and a malicious URL from which to download another Symbian malware. This message is written in Chinese (it uses the UCS2 character set) and says something about some of your friends having uploaded two videos to the malicious URL

- a WAP Push SMS message, using China Mobile’s cmwap access point, and sent to UDP port 2948. This port is typically used for WAP Push Service Indication messages (WAP 167).

WAP Push Service Indication messages are special SMS meant to notify the end-user that a new service is operational at a given URL. Unfortunately, so far, the body of the message hasn’t been identified, so we cannot be sure this is what the malware is actually sending. However, if this is the case, a WAP Push Service Indication would be particularly dangerous for at least two reasons:

First, WAP Push messages are usually considered as high priority SMS and hence often automatically displayed on the mobile phone (see ‘signal-high’ parameter in WAP 167). For an attacker, this is nice because there are higher chances the message will be read by the victim.

Second, on some phones, a vulnerability prevents the phone from correctly displaying the originator of the message,so the victim may think the URI is sent by his/her (trusted) operator (see Figure below). For attackers, the downside is that WAP Push messages are not supported by all mobile phones.

Samsung_PushSI_advisory

Figure 1. Example of WAP Push SI message that does not correctly display the originator. The victim may consequently think the URL comes from a trusted party (system administrator).

– the Crypto Girl.

Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.

Symbian Signed Mobile Malware: One Gang?

by Axelle Apvrille
July 29, 2010 at 3:16 pm

The analysis of SymbOS/NMPlugin.A!tr shows that, once again, a mobile malware was signed using the Symbian’s Express Signed procedure. It is the fourth malware we notice doing so since 2009 (and it is likely I missed a couple). See the table below.

Malware name

Signer’s identity (probably fake or impersonated)

Probable signing date

SymbOS/Yxes.*!worm

XiaMen Jinlonghuatian Technology Co. Ltd

ShenZhen ChenGuangWuXian Tech. Co.

XinZhongLi Kemao Co. Ltd

TianJin YouLiAn Technology, Co. Ltd.

Beijing GuoShengMingDao Technology Co. Ltd.

Xiamen Jindoucheng Tech Co. Ltd.

October 14, 2008

Several versions. First one: December 18, 2008

Several versions. First one:

June 17, 2009

July 2, 2009

August 23, 2009

January 23, 2010

SymbOS/Album.A!tr

Shenzhen ZhongXunTianCheng Technology Co. Ltd

November 20, 2009

SymbOS/CommDN.A!tr

Beijing Tianjia Chuangmeng Digital Technology Co., Ltd

December 28, 2009

SymbOS/NMPlugin.A!tr

Xiamen DeFangDa Qiye Co.Ltd.

May 27, 2010

Table 1. Express Signed mobile malware. Symbian has been notified and all certificates are now revoked.


You may have noticed all those certificates share similarities in their common name: it starts with the name of a major town in China, the locations of Shenzhen and Xiamen are re-used, the middle part of the name consists of concatenated names, and it ends with something like “Technology Co. Ltd”. Coincidence? This is currently under investigation.


Four “Symbian-signed” malware is not much, but it proves there is a flaw. Thus, I do question the use of application signing as far as security is concerned. Does it make life of malware authors more difficult? For script kiddies, perhaps, for others, probably not:


1/ It costs 200 euros for a PublisherID and 10 euros for each ContentID (i.e each signature). If the malware author is part of a criminal organization, he can afford this. Otherwise, he can use a stolen credit card or a compromised PayPal account.


2/ There are only little chances of being successfully traced back. The malware author does not need to provide his personal identity: he can use fake names, addresses and locations. A valid e-mail is needed to retrieve the certificate, but everybody knows e-mails are hardly an identification… Finally, the malware author may access the Internet through several proxies to complicate IP address tracking.


3/ The malware will probably not be detected. Only a small percentage of Express Signed applications ever get audited, and if ever they do, the tests mainly focus on quality – e.g it installs ok – so security concerns may go unnoticed. If, by chance, the malware is detected, Symbian will revoke the certificate, but only few phone owners enable OCSP so plenty of other careless users will still install the malware…


I do not know exactly what Express Signed was initially meant for – quality? business? – but, no, it can’t be security.


– the Crypto Girl

Author bio: Axelle Apvrille's initial field of expertise is cryptology, security protocols and OS. She is a senior antivirus analyst and researcher for Fortinet, where she more specifically looks into mobile malware.