Español | English
rss facebook linkedin Twitter

ZeuS Mitmo: Man-in-the-mobile (III)

The application that the user installs in his mobile device is a simple application that will monitor all the incoming SMS and will install a backdoor to receive commands via SMS. We have analyzed the Symbian S60 application, which has the name 'Nokia update'

The application has an UK phone number hardcoded that will use as an usual C&C (to send the stolen SMS and to receive the commands), and after installation, it will perform the following steps:
  • Send a 'hello' SMS with the message 'App installed ok' to the C&C
  • Monitor all the incoming SMSs

If the incoming SMS' phone number is equal to the C&C number, there are some commands that will be accepted:
  • BLOCK ON: ignore all the commands
  • BLOCK OFF: enable the remote commands
  • SET ADMIN: change the C&C phone number (this is the only command that can be sent from a non-C&C)
  • SENDER ADD: add a contact
  • SENDER REM: delete a contact
  • SET SENDER: update contact
The technique that the malicious application uses for monitoring the incoming SMS without notifying the user is not something advanced (it is using the Symbian API), but allows the trojan to use the SMS stack for its own profit without showing any SMS in the mobile screen:
// open a SMS socket
m_socket.Open(m_socketServer, KSMSAddrFamily, KSockDatagram, KSMSDatagramProtocol)

// receive any incoming SMS (the match is empty)
TSmsAddr smsAddr;
smsAddr.SetSmsAddrFamily(ESmsAddrMatchText);
smsAddr.SetTextMatch(_L8(""));
m_socket.Bind(smsAddr);
Then we have 'hooked' the SMS stack so we are able to receive any incoming SMS and pass it through our handler (the RunL()):
// Stream that reads a CSmsMessage object across a socket.
RSmsSocketReadStream readStream(socket1);
// Allocates and creates a CSmsMessage
// ESmsDeliver-SMS-DELIVER, sent from service center to Station.
CSmsMessage message = CSmsMessage::NewL
TheFs1,CSmsPDU::ESmsDeliver,buffer);
CleanupStack::PushL(message);

//Internalises data from stream to CSmsMessage
message->InternalizeL(readStream);
readStream.Close();
//Extracting the received message to a buffer
TBuf<255> msgContents;
message->Buffer().Extract(msgContents, 0 , message->Buffer().Length());
CleanupStack::PopAndDestroy(2)
// Announce that we have read the SMS. Important!!
iReadSocket.Ioctl(KIoctlReadMessageSucceeded, iStatus, &sbuf, KSolSmsProv);
SetActive();
It is clear that this malware uses social engineering in different levels:
  • The infection method: sends a SMS with a link to a 'new security certificate'
  • The mobile application: the name is 'Nokia update', that won't be suspicious for the majority of users
  • The contacts/agenda manipulation: we can add, or change new contacts in the mobile device, making any calls or SMS more trustworthy
We are working with mobile carriers to help them to detect infected devices. Mobile carriers are the key actors in this incident, just because they are the only ones that can detect which devices are infected and block all the connections to/from the mobile C&C.

This attack also has a lot of similarities with an Internet incident, although there are some caveats:
  • We can detect the infected devices, but notifying those users and clean their devices is a hard and difficult task
  • We can block the access to/from the C&C, but another mobile C&C will come up (at least we won't see fast-flux!)
  • Credential recovery is much difficult if not impossible
  • The user can suspect that his device is infected by looking at his mobile expenses and detect strange SMS charges
Although we cannot state that it is a really advanced malicious application, it really works, and the thin line between PC and mobile malware is thinner than ever.

At the moment of this blog post, the AV detection rate is 0%.

Update (27/09/2010): our Fortinet colleagues have posted more information about the Symbian malware.

Update (28/09/2010): Vodafone has just confirmed us that the Symbian developer certificate has been revoked.

Serial Number: BF43000100230353FF79159EF3B3
       Revocation Date: Sep 28 08:26:26 2010 GMT

   Serial Number: 61F1000100235BC2794380405E52
       Revocation Date: Sep 28 08:26:26 2010 GMT
David Barroso
S21sec e-crime

1 comentarios:

Bruno VALENTIN said...

This post is really interesting and is worth being spread widely on the Internet even for non English-speaking users.
Would you allow us to translate it In French and post it on our blog with a reference to yours ?
Best regards

Bruno


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login