06 March 2008
Chinese S60 users targeted by the nasty Trojan!
McAfee’s security and researchers labs have identified a new trojan for S60 phones that attempts to extort money from owners of Symbian-based Smartphones in China.
Kiazha targets Symbian S60 phones and attempts to extort money from users on a really nasty way, it deletes all SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.
After being installed onto the user's Smartphone, beside deleting the all messages, malicious software also threatens to shut down phoneunless the user sends 50 yuan (about $7) to the malware author. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.
The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”
QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams.
SymbOS/Kiazha.A is just one part of SymbOS/MultDropper.CR. MultiDroppers contain a number of different malware, which have separate functionality. SymbOS/MultDropper.CR consists of SymbOS/Commwarrior.C, SymbOS/Beselo.B1, and SymbOS/SmsSend.F-G, all of which can cost the user for SMS and MMS transmission.
On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:
- SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
- SymbOS/SmsSend.G forwards SMS received to the malware author
- SymbOS/Kiazha.A deletes any sent or received SMS message
Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.
Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.
The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.
|
![[Valid RSS]](../../../images/slice/valid-rss.png "Validate my RSS feed"){kind=small}
