Symbian admits Trojan slip-up

The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.

The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.

"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."

Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.

The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.

In the case of the low-risk Sexy Space Trojan, which was disguised as a legitimate application called ACSServer.exe, the Trojan had not been subjected to human scrutiny, Heath said.

The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. However, an error on Symbian's servers meant the application was available for download until this week.

On the Symbian Signed Web site, the group's antivirus-scanning provider is identified as Finnish company F-Secure. Mikko Hyppönen, F-Secure's chief research officer, told ZDNet UK on Friday that the malware authors had probably tested their Trojan against the F-Secure antivirus engine to circumvent security measures.

"Virus writers scan their malware, and keep modifying it until it passes the filters," Hyppönen says. "Obviously, the signing process can be and has been circumvented."

Symbian uses graded signing processes for mobile applications, according to Hyppönen. The Sexy Space malware went through its express signing process, which is designed for freeware. "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.

Symbian is in the process of upgrading its automated scanning processes, Heath said, adding that human auditing is also going to be improved. However, human auditing will probably not be expanded, as this introduces cost and time delays into the process, he said.

The group is looking to automate more of the work involved in publishing applications. "Today, most of the processes behind (Symbian) require manual tasks," the organization said in a blog post on the launch of its new Symbian Horizon program. "Our goal for the near future is to develop a system that will automate this work allowing us to scale the program to include as many apps as possible."

The Symbian Horizon program intends to select applications submitted by developers and then support them through their development and submission to mobile app stores. Symbian said that one of the aims of Horizon was to automate the publication of apps as far as possible.

Tom Espiner of ZDNet UK reported from London.

[wjsteele]

"It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.

How could he possibly say it is better if it letting through known malware??? It's not any better if it is letting malicious software through just like no process would!!!

Once one malware author finds out... they all find out the "correct" process to defeat the signing process.

[rapier1]

So if something isn't perfect it should be abandoned entirely? I'm not saying that an incident like this is acceptable but it is better to have even an imperfect process in place than no process at all.

[mbenedict]

A process largely based on digital-signing & cursory scanning -- including Apple's App Store and the Android Market -- can never be fool-proof against malware.

Digital signature is only a deterrent. The intent is to make software traceable, and therefore App authors can be held accountable for any malware embedded in any App they submit.

But in reality, the "bad guys" can just submit apps using a fake identity. E.g., on the Apple App Store it's trivial for someone to create a new individual developer account using a stolen credit-card number. They can then create digital certificates and submit apps which are practically untraceable (especially free apps.)

Chances are there are already multiple malware/trojans currently being distributed through the Apple App Store, Android Market, Nokia Ovi, etc.

[faceless128]

hey at least on the iphone, you can't run background apps, so a trojan would close when you go to another app!

[mbenedict]

Not true.

In theory, an iPhone trojan could "jailbreak" the OS and install background processes. It could leverage publicly available methods to do this (such as Quickpwn and the Backgrounder app) or exploit new unpublished vulnerabilities.

I wouldn't at all be surprised if someone already has such a trojan prototyped in the lab. Surely Apple is scanning apps to look for malicious code injection / jailbreak signatures, however it would be fairly easy to obfuscate such a code.

[vaibhav92]

I am unable to understand that why the mallware author hasnet been traced. I am a symbian developer and i know how express signing works. Each application is assigned a unique identifier provided by symbian signed itself. and for express signing you need to shell out 20 bucks per signing. So it should only be a matter of fews hours that the details of the maleware author are know or the person who actually paid for the signing the maleware.

[c-n-e-t]

Everheard of stolen credit card? The hacker used a stolen credit card to pay for the 20 bucks so any trace on the credit card number will only lead you back to the innocent victim.

Or do you think the hacker would be stupid enough to use his own credit card? Don't get me wrong, I hope he was stupid enough to do that but I am not betting on it.

[roshanmani]

" The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. "

Wow.. Just How did they revoke the 'signature' again?? Or did they mean the digital certificate used to create the signature? Any idea how many other signed symbian applications has this impacted?

[monkeyfun14]

Every signature probably has a unique id.

[passionate_boy]

wow
i likes that security is likely improved ....

Dear Sir(s)
Your articles & efforts are really praiseworthy. Lots & lots of Internet users are getting benefited. These are attracting apropos undoubtedly.
Thanks for being so informative
Mandeep Singh

[chetwisniewski]

As we saw with the Blackberry spyware last week in UAE, this seems to be an increasing issue for mobile security. Corporations adopting mobile data need as much control as possible over what applications are loaded on their devices. These application stores, and their new found openness to pretty much everyone to publish applications introduces a whole new set of security challenges on the handset that nearly directly mirror the risks associated with PC's. Nokia/Symbian, Apple, Google, etc need to provide robust tools for device control and management, much as BES is to Blackberry.. However, as happened last week, that may not be enough either.

Chet Wisniewski
www.sophos.com

[craigfis]

Not a good thing when your trojan slips!