Signed Malware Coming To A Phone Near You?

[Peaches]

Jul15

Signed Malware Coming To A Phone Near You?

Conventional wisdom has it that mobile platforms like PDAs and mobile phones are safer from malware attacks, one reason being the relatively closed nature of such platforms. In some platforms, such as newer versions of the Symbian OS, this is enforced in part by mandatory code signing, which requires that applications need to be signed by a third party, ensuring (in theory) that they are not malicious. (Currently, this process is carried out by Symbian Signed, now part of the Symbian Foundation).

Assuming that the third party is trustworthy, this system should be foolproof, shouldn’t it?

Not always.

In the past few days, Trend Micro has encountered a new threat for Symbian devices, deteted as SYMBOS_YXES.B. According to Marianne Mallen, Escalation Engineer in TrendLabs, it posts as the legitimate application ACSServer.exe and calling itself Sexy Space, it steals the user’s subscriber, phone, and network information, and connects to a website in order to send the said information. In addition, it can also send spammed SMS messages to the user’s contacts. (The content in the said messages is acquired from the website it connected to earlier.) In short, it appears to be a botnet for mobile phones.

All this would be worrying enough, but there’s an even bigger issue at play here. Both SYMBOS_YXES.B and an earlier variant, SYMBOS_YXES.A are signed programs. The signing process – undertaken by the Symbian Foundation itself – is supposed to ferret out instances like this, but somehow this slipped through. It may well be a coincidence, but it does not reinforce confidence in the signing system.

Whatever the case, this particular threat is already detected by the Smart Protection Network.

trendmicro - http://blog.trendmicro.com/