YXES the botnet that weakens Symbian signing process

This month, important media coverage has brought up to date a malware known since last February for having attacked the Symbian mobiles.

This new malware is characterized by a new form of attack in the mobile world hitherto unknown. If it is actually not new in the world of computers, it is in the world of mobile telephony.

Indeed, Symbian mobile phones have been the target of a botnet and its variants since February, which differentiates itself from others by having fooled the application signing mechanism of Symbian, rather than exploiting a flaw in the mobile phone itself.

Appeared in different forms since then, this signed malware installs itself without any warning of the mobiles to its victims. Identified by some anti-virus vendors as “YXES”, “YXE” or "Sexy Space”, the latter does not use any special technologies to infect its victims’ mobile.

How does YXES arrive on a mobile device?

Since it cannot be embedded into an SMS message, YXES authors use a hyperlink to redirect the user to a website hosting the malware. Most of the modern mobile devices, if not all, allow clicking a hyperlink to be redirected automatically, as does a simple Internet browser on a PC. Then it is now just necessary to convince a victim to click the malicious link in the SMS. The technique is always the same and it uses an enticing content to trap credulous users. YXES offers to install an application called "Sexy space" or "Sexy View".

By clicking the link, the malicious web site automatically downloads a "SIS" file, which presents itself as a Symbian signed installation package. The user receives no warning but "Do you want to install the package Yes or No". Because of the valid signature, YXES appears to be a “reliable” application to the mobile phone. The user only has to validate or not the installation.

Note: In the absence of a valid signature, the package would have been intercepted by the mobile system, and the user would have been alerted by a series of warning dialogs saying that the application might potentially be malicious.

 

What does YXES do?

Once executed, YXES hides in the operating system of the mobile device as the "ACSServer.exe” service. It then steals a lot of information related to the phone, the user (service provider, information networks, IDs, IMEI number, etc.) and sends them to a website in charge of collecting stolen information.

Once the information gathering got carried out, YXES tries to spread. To do this, it sends itself through SMS messages to any contacts found on the infected mobile phone. This spread can have serious consequences, because in some cases it can lead to exhaust the SMS subscription of the victim, or it can also result in extra charges of any new SMS sent beyond the subscription, which will therefore lead to an overpriced bill for the victim.

Note: Several YXES victims reported that the mailing of SMS has resulted, in addition to expensive invoices, to discharge batteries faster than a normal use.

Where does YXES come from?

 The origin of YXES remains somewhat unclear to anti-virus vendors, as it is usual for any malware source; maybe because authors of malwares rarely show off about themselves to avoid getting caught. However, in this case, this identification was easy since the malware was signed. It was therefore easy to identify the certificates and to determine that it was coming from China. Indeed, several variants of the YXES code were released by at least three Chinese companies; “Jinlonghuatian Xiamen Technology Co. Ltd.”, “ShenZhen ChenGuangWuXian Tech. Co. Ltd.” and “XinZhongLi Co. Ltd Tianjin”.

The authors of YXES are probably also the authors of another malware for Symbian discovered in June as "Transmitter.C. Indeed, this malware was already trying to bring its victims to the download pages of YXES. In contrast to YXES, “Transmitter.C” was not signed. Its features were mainly intended to better spread. First, it was able to use the appropriate language regarding its victims’ mother tongue, which is somehow amazing. It could also adjust the content of sent SMS messages to the contacts found on the mobile device, depending on its victim’s interests, in order to increase the chance that the recipient gets infected. Finally, it was also able to start massive SMS campaigns with about one SMS every 15 seconds.

Note: The certificates of these felon companies were revoked by Symbian. However, this has a limited impact as most vulnerable mobile phones are configured for manual revocation lists updates. Thus, if the user does not voluntarily update its revocation lists or if he does not set it in automatic mode, he remains a potential target for the malware.

Is this new malware disturbing?

It is, because different variants that are circulating have exploited a system flaw in the signing process of Symbian and therefore have bypassed the trust mechanism of the mobile operating system. This implementation flaw in the signing process is fraught with consequences as devices can not differentiate legitimate applications from malicious ones. The Symbian signing process is to be reviewed.

Let’s have a look at the various signing modes of Symbian applications, before speaking about the one which got tricked by the authors of YXES.

Symbian application signing processes?

There are several:

• The “Self-signed” mode is the most basic. In fact this method does not involve any intervention of Symbian. The application is signed by a certificate authority, which has to be inserted into the phone so that the application is validated. This mode is the easiest and the least expensive. However its use is usually limited to development.
• The “Open Signed Online” mode offers the opportunity to sign applications in testing phase. This service is in “beta” version, and requires registration prior its usage. The application must meet specific constraints linked to the fact it is for test only.
• The “Express Signed” mode provides a fast automated signature system, requiring a subscription fee. Signed applications are billed $20 each.
• The “Certified Signed” mode is the preferred and official mode for any professional application. Developers must be registered and have to pay a registration fee for about $200. Any signed application requires the use of a code called “Application Code Signing” (ACS) and an identifier called “Publisher ID” given to developers who have subscribed. Moreover, signed applications must have been certified in terms of quality.

Which signing mode got fooled?

According to experts, the “Express Signed“ mode was exploited.

In fact, the first step in this process is automatic. It is basically a virus scan control. However, this could be insufficient, facing with new viruses or 0day attacks.

A second step is to randomly take samples and send them to auditing teams to verify the code. Here, the probability that a malicious code not to be analyzed will depend on the number of codes submitted for signing. For information, Symbian signs more than 2,000 applications per month.

According to F-Secure, it appears that most of the submitted applications will never be controlled by auditors (humans), but uses a kind of automated code analysis instead. Therefore, it can not really guarantee that a code is malware free before it is signed.

 

Is this issue really new?

Malwares targeting Symbian devices are not new. In January 2008, this operating system was already the target of an attack by the worm BESELO (see the January 2008 bulletin), which attempts to spread via Bluetooth connections or via MMS (Multimedia Messaging Service) messages. Accompanied with contents enticing users to open the attachment, usually a picture, an mp3 file or any other multimedia content, it was actually a SIS installation file in charge of compromising the phone. The user still had to accept its installation on his mobile, despite warnings about installing a non-signed application. Needless to say that the user really wanted knowingly to compromise his mobile phone.

However, this was not the first one, especially if one recalls the one against Microsoft Pocket PC, OS which in 2004 had already been the target of a Trojan called “Brador” (see August 2004 bulletin).

In March 2008, it was again the turn of Microsoft to deal with the attacks of its Windows CE mobile devices, as a worm called "InfoJack" was installing malwares on vulnerable mobile phones without the knowledge of the user. Beyond the fact that it was stealing IMEI information and more from the phone, it was spreading despite the lack of digital signature.

If we look at these malwares in general, all have the characteristic to exploit the unawareness of users or to install themselves thanks to the action of the user. The only exception is the Windows CE one, but only because the malware was exploiting a vulnerability in the operating system of the mobile. Otherwise, the user would have been warned. In fact, the signing mechanism of the mobile was guaranteeing, or was intended to guarantee the protection of the mobile against unapproved code.

Expected practices are that on mobile platforms, applications are signed. This model is also used for computer platforms, as it was the case with Microsoft Authenticode, or the Sun Java application signatures.

For Symbian, this model has shown its limits. The weaknesses of the signing process exploited by YXES require that Symbian takes quick measures to protect the installation of applications on mobile devices, and reconsiders its failing process.

Conclusion

Although all mobile devices based on Symbian OS Series 60 3rd edition (several Nokia, LG and Samsung devices) could be the target of YXES, some good practices might simply avoid being infected. It should be pointed out that it is important:

• to know the source of any application to be installed,
• not to click on hyperlinks from text messages coming from un-trusted sources,
• to keep the certificate revocation lists up-to-date,
• to install anti-virus solutions for mobile devices, and to keep it up-to-date.