 Kiazha.A
Other elements in the package automatically set up a QQ account for the user, and forward all text messages to the malware author. Users are charged for all messages sent by the malware.
The message roughly translated states:
“Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ[id removed] account , or your phone will be paralysed!!!”
"The interesting thing about multi-droppers is that they are usually compiled by malware authors who are not programmers and simply collect the work of others," wrote McAfee Avert Labs engineer Jimmy Shah in a blog posting. "With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware-like pieces from a toolkit."
Shah also noted that the malware is profit driven, a rarity in the mobile malware field where authors mostly create attacks to gain notoriety.
QQ is a very popular Instant Messaging network in China and a target for many password stealing trojans and scams. QQ coins, an in-network currency, are also heavily used, traded and stolen outside the QQ network.
On the surface SymbOS/MultDropper.CR looks like a standard collection of previously seen malware. While examining the MultDropper’s components individually, we noticed a few things:
- SymbOS/SmsSend.F sends an SMS to request a new QQ account for the user
- SymbOS/SmsSend.G forwards SMS received to the malware author
- SymbOS/Kiazha.A deletes any sent or received SMS message
Separately these actions seemed in opposition to each other. If the new account SMS were received, it would be deleted by SymbOS/Kiazha.A rendering the initial action moot.
Further testing with the entire malware showed something more interesting. The interaction of these disparate malware produced a functional malware. SymbOS/MultDropper.CR uses malicious payloads (Beselo,Commwarrior) to convince the user their phone is infected. It also sets up SMS forwarding (SmsSend.G) to collect information and potentially passwords. In case the victim doesn’t have a QQ account the malware will order (SmsSend.F) one for them. After all that, SymbOS/Kiazha.A deletes SMS messages to cover its tracks and displays the offer to fix the user’s phone for a small fee.
The interesting thing about MultiDroppers is that usually they’re compiled by malware authors who aren’t programmers and simply collect the work of others. With MultiDropper.CR it appears that the author, with a lot of effort and testing, put together various malware like pieces from a toolkit. Also of note, especially with mobile phone malware, is that the author may have put in all this work to make a profit rather than increase his notoriety.
Kiazha.A is the second major mobile phone attack to hit China in recent days after a malware infection targeting Windows Mobile handsets was discovered last week.
WinCE/InfoJack also attempts to steal information, but contains a component which leaves handsets open to future attacks.
Trackback(0)
|
News 
TrackBack URI for this entry
Subscribe to this comment's feed
Technorati Tags:
Creatures of the Deep 3D
