F-Secure has identified three China-based companies as the creators of the "Sexy Space" Trojan, which was identified last week to have passed through Symbian Foundation's digital-signing process.
XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin cloaked the malware, also known as Yxe, and submitted it to the Symbian Foundation under its Express Signing program, security company F-Secure said Wednesday in a statement.
Developers are required to submit mobile applications to the Symbian Foundation for evaluation, before the applications are accepted and enabled for handsets running the Symbian operating system. The apps are first automatically scanned for viruses. After that, random samples are submitted for human audit. Sexy Space had not been subjected to human scrutiny, Symbian's chief security technologist Craig Heath said last week.
F-Secure's senior security response manager, Chia Wing Fei, explained that the Trojan would have allowed attackers to simply send a link via text message to a malicious Web site and prompt the mobile recipient to download the worm. Once the malware would be installed, it could send similar text messages to all contacts listed on the phone.
"These messages are sent in your name and from your phone," Chia said. "It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you ($25)."
According to F-Secure, this is the first identified text message worm.
The Symbian Foundation became aware that Sexy Space was a Trojan earlier this month, and the signature was revoked. But an error on Symbian's servers meant the application was still available for download until last week.
F-Secure said that although the problem is currently not widespread, there have been a few confirmed reports in China and the Middle East so far.
All Symbian Series 60 third-edition phones by Nokia, LG and Samsung are potential targets of the malware, including popular models such as Nokia N95 and Nokia E71, said F-Secure. The Symbian platform is used in just under 50 percent of all smartphones.
Vivian Yeo of ZDNet Asia reported from Singapore.
The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.
The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said Thursday. Heath said the group is working on improving its security-auditing procedure.
"When software is submitted, we do try to filter out the bad eggs," Heath told ZDNet UK. "When apps are submitted, they are scanned. We are looking at how they could be scanned better."
Developers must submit the mobile applications they build to the Symbian Foundation for checking for the applications to be accepted by handsets with the Symbian operating system. Once the submission has been accepted, the applications are digitally signed by Symbian. Digital signatures, which are cryptographic security features, are designed to provide an amount of assurance that software for download comes from a trusted source.
The first stage of Symbian's signing process, antivirus scanning, is done automatically using an antivirus engine. Once an application has been submitted and scanned, random samples are then submitted for human audit.
In the case of the low-risk Sexy Space Trojan, which was disguised as a legitimate application called ACSServer.exe, the Trojan had not been subjected to human scrutiny, Heath said.
The Symbian Foundation became aware that Sexy Space was a Trojan two weeks ago, and the signature was revoked then, Heath said. However, an error on Symbian's servers meant the application was available for download until this week.
On the Symbian Signed Web site, the group's antivirus-scanning provider is identified as Finnish company F-Secure. Mikko Hyppönen, F-Secure's chief research officer, told ZDNet UK on Friday that the malware authors had probably tested their Trojan against the F-Secure antivirus engine to circumvent security measures.
"Virus writers scan their malware, and keep modifying it until it passes the filters," Hyppönen says. "Obviously, the signing process can be and has been circumvented."
Symbian uses graded signing processes for mobile applications, according to Hyppönen. The Sexy Space malware went through its express signing process, which is designed for freeware. "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all," Hyppönen said.
Symbian is in the process of upgrading its automated scanning processes, Heath said, adding that human auditing is also going to be improved. However, human auditing will probably not be expanded, as this introduces cost and time delays into the process, he said.
The group is looking to automate more of the work involved in publishing applications. "Today, most of the processes behind (Symbian) require manual tasks," the organization said in a blog post on the launch of its new Symbian Horizon program. "Our goal for the near future is to develop a system that will automate this work allowing us to scale the program to include as many apps as possible."
The Symbian Horizon program intends to select applications submitted by developers and then support them through their development and submission to mobile app stores. Symbian said that one of the aims of Horizon was to automate the publication of apps as far as possible.
Tom Espiner of ZDNet UK reported from London.
A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.
Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.
An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0, and 3.1 devices are not able to receive any more SMS or MMS messages. The S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.
Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia representative told CNET News sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.
"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the representative. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."
Products running S60 3rd edition, feature pack 2, are unaffected, said the representative, who added that the issue can be prevented by network filtering.
"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the representative.
F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday the security vendor said the vulnerability will "most likely be used by jealous boyfriends," but that support personnel "should know what to look for" in case of harassment of staff.
F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.
Tom Espiner of ZDNet UK reported from London.
- prev
- 1
- next
