Symbian Foundation signs mobile phone trojan - Update
The Symbian Foundation plans to revise its procedures for testing and signing software after digitally signing a trojan for its Symbian mobile phone operating system by mistake. According to Trend Micro, the SYMBOS_YXES.B ("Sexy Space") trojan, which hides behind the name "ACSServer.exe", has botnet functionality and steals user data. It's even reportedly able to send spam texts to contacts found on the victims mobile phone.
Trend Micro's analysis of the malware has shown that it and one other variant, possess valid signatures, allowing them complete access to all of the phone's functions. This is precisely what Symbian's certification system is intended to prevent by only allowing unsigned applications very limited access.
It's currently unclear exactly how the mistake occurred. Applications submitted to Symbian must undergo several stages of testing. These include an automatic scan with anti-virus software. Apparently, the Symbian Foundation uses anti-virus products from F-Secure.
Mikko Hyppönen, head of research at F-Secure, has told US media that the malware authors probably adapted their trojan to avoid detection by the F-Secure anti-virus software. Symbian now plans to expand its automatic process and increase the number of manual checks, currently carried out on a spot check basis.
According to the Symbian Foundation, the certificate was revoked two weeks ago. However, since Symbian devices do not continually query the revocation list, some devices may still recognise the certificate as valid.
Update: Mikko Hyppönen has now published a Q&A on the F-Secure blog, which also demonstrates how to enable revocation certificates on affected Symbian phones. The default setting is NOT to check for them.
- Signed Malware Coming To A Phone Near You?, security advisory from Trend Micro.