Just last week (8 days ago to be exact), we
have received an application that can be the start of a new kind of
Symbian
threat. The threat was called
SYMBOS_PBSTEAL.A and discussions came to light as to whether
this can be properly labeled within the bounds of Symbian Malware
since the file itself doesn’t have any destructive features
whatsoever.
Once installed on an affected mobile device, this Symbian
application just attempts to steal contact information from the
user’s phonebook entries, saves the data it gathers into a file
named as PHONEBOOK.TXT and then searches for online Bluetooth
devices and repeatedly attempts to send the file to the first
online device it finds.
Obviously, this was the first of its kind, and now we have just
uncovered a new variant that will be named as SYMBOS_PBSTEAL.B. Initial observation states that it
pretty much does the same thing.
However, as once stated in the previous
blog, “We know how mobile phones have been a handy-dandy device for
people where they keep their schedule, the important numbers in
their lives like maybe credit card numbers or pins. So..if merely
phonebook today…. what could it be tomorrow?”. Any
personal and confidential data can be a target!
Current AV detections are none at the moment (except for Kaspersky
where they recognize the file as a SIS archive:
Solutions are now on its way so stay tuned for more
details…
have received an application that can be the start of a new kind of
Symbian
threat. The threat was called
SYMBOS_PBSTEAL.A and discussions came to light as to whether
this can be properly labeled within the bounds of Symbian Malware
since the file itself doesn’t have any destructive features
whatsoever.
Once installed on an affected mobile device, this Symbian
application just attempts to steal contact information from the
user’s phonebook entries, saves the data it gathers into a file
named as PHONEBOOK.TXT and then searches for online Bluetooth
devices and repeatedly attempts to send the file to the first
online device it finds.
Obviously, this was the first of its kind, and now we have just
uncovered a new variant that will be named as SYMBOS_PBSTEAL.B. Initial observation states that it
pretty much does the same thing.
However, as once stated in the previous
blog, “We know how mobile phones have been a handy-dandy device for
people where they keep their schedule, the important numbers in
their lives like maybe credit card numbers or pins. So..if merely
phonebook today…. what could it be tomorrow?”. Any
personal and confidential data can be a target!
Current AV detections are none at the moment (except for Kaspersky
where they recognize the file as a SIS archive:
- FileName : FILE.SIS
- TrendMicro : NO_VIRUS
- Symantec : NO_VIRUS
- Kaspersky : ARC:SIS
- McAfee : NO_VIRUS
- Sophos : NO_VIRUS
- Panda : NO_VIRUS
- Alwil : NO_VIRUS
- CAI : NO_VIRUS
- CAV : NO_VIRUS
Solutions are now on its way so stay tuned for more
details…
Update (Ivan, 02 December 2005 17:21:18)
A good observation was brought up by Jun Lu
from Trend China last week stating that the application
“doesn’t focus destroying the mobile phone, but
leaking the improtant information of the user’s. Does it mean that
the virus writer’s interest is changed to the commercial
objective?
Moreover, a forecast in passing was made previously regarding this
sort of Symbian “malware” I think we are now
moving on towards what I would call Symbian-Spyware or
Symbian-Grayware. This is indeed possible. Moreover, this PBSTEAL.A
may be incorporated in the near future with a spreading Symbian
worm, and including more refined code such that it would not
“commercialize” phonebook entries in a random fashion,
but actually _steal_ them and all other pertinent and personal info
and send them directly to the malware author.
Tackling these sorts of applications may be different from how we
would normally handle Symbian malware.
from Trend China last week stating that the application
“doesn’t focus destroying the mobile phone, but
leaking the improtant information of the user’s. Does it mean that
the virus writer’s interest is changed to the commercial
objective?
Moreover, a forecast in passing was made previously regarding this
sort of Symbian “malware” I think we are now
moving on towards what I would call Symbian-Spyware or
Symbian-Grayware. This is indeed possible. Moreover, this PBSTEAL.A
may be incorporated in the near future with a spreading Symbian
worm, and including more refined code such that it would not
“commercialize” phonebook entries in a random fashion,
but actually _steal_ them and all other pertinent and personal info
and send them directly to the malware author.
Tackling these sorts of applications may be different from how we
would normally handle Symbian malware.
Update (Ivan, 02 December 2005 19:09:25)
According to earlier observations,
SYMBOS_PBSTEALER.B differs slightly from the original A variant
wherein the latter one “steals” only phonebook entries while the
newer version also attempts to “steal” user NOTES and also
sends this as a compiled text file via the same Bluetooth
method.
This just proves the findings we had before:
“So..if merely a phonebook today…. what could it be
tomorrow?”.
Yes, what can it be next? TO-DO lists? CALENDAR
data?
Users accustomed to typing or storing credit card numbers,
passwords, personal identification numbers (PIN), bank accounts and
other personal information as user “NOTES” in the phone may be
potential targets of this Symbian application.
The usual precautionary measure would be for users to practice
EXTREME CAUTION when downloading and executing applications
from untrusted and underground software repositories such as warez,
crack and homebrew sites.
SYMBOS_PBSTEALER.B differs slightly from the original A variant
wherein the latter one “steals” only phonebook entries while the
newer version also attempts to “steal” user NOTES and also
sends this as a compiled text file via the same Bluetooth
method.
This just proves the findings we had before:
“So..if merely a phonebook today…. what could it be
tomorrow?”.
Yes, what can it be next? TO-DO lists? CALENDAR
data?
Users accustomed to typing or storing credit card numbers,
passwords, personal identification numbers (PIN), bank accounts and
other personal information as user “NOTES” in the phone may be
potential targets of this Symbian application.
The usual precautionary measure would be for users to practice
EXTREME CAUTION when downloading and executing applications
from untrusted and underground software repositories such as warez,
crack and homebrew sites.
Update (Ivan, 02 December 2005 23:27:48)
SYMBOS_PBSTEAL.C
Just about right now, we have received another variant of
SYMBOS_PBSTEAL reportedly being spread initially as a file named as
PBCompressor.SIS (11,994 bytes).
Based on initial observation, this variant possibly differs in the
system locations where the malicious files are either dropped or
saved or copied.
Currently, AV detections are null.
We will be calling this as SYMBOS_PBSTEAL.C. Hold on for
more updates.
Just about right now, we have received another variant of
SYMBOS_PBSTEAL reportedly being spread initially as a file named as
PBCompressor.SIS (11,994 bytes).
Based on initial observation, this variant possibly differs in the
system locations where the malicious files are either dropped or
saved or copied.
Currently, AV detections are null.
- FileName : PBCompressor.zip/PBCompressor.SIS
- TrendMicro : NO_VIRUS
- Symantec : NO_VIRUS
- Kaspersky : ARC:SIS
- McAfee : NO_VIRUS
- Sophos : NO_VIRUS
- Panda : NO_VIRUS
- Alwil : NO_VIRUS
- CAI : NO_VIRUS
- CAV : NO_VIRUS
We will be calling this as SYMBOS_PBSTEAL.C. Hold on for
more updates.