Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Incident Response, TDR, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Money-stealing mobile trojan surfaces in China

Security researchers from McAfee have identified a trojan that attempts to extort money from owners of Symbian-based smartphones in China.

After being downloaded onto the user's smartphone, the malicious software, which McAfee has dubbed Kiazha.A, deletes any SMS messages and threatens to shut the phone down unless the user sends 50 yuan (about $7) to the malware author. The trojan asks the user to pay via QQ coins, a virtual currency used in the popular Chinese QQ instant messaging network, David Marcus, the security research and communications manager at McAfee's Avert Labs, told SCMagazineUS.com on Wednesday.

Kiazha.A is part of a "malware cocktail" called MultiDropper.CR, according to McAfee. The various components create a bundle that tries to persuade the user to install the package, sets up SMS forwarding to collect information, creates a QQ account, in case the victim doesn't have one, and then deletes SMS messages to cover its tracks. It then displays an offer to fix the user's phone for a small fee.

The alert message displayed on the phone reads, "Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ [ID removed] account or your phone will be paralyzed!!!"

"With MultiDropper.CR, it appears that the author, with a lot of effort and testing, put together various malware-like pieces from a toolkit," Jimmy Shah, an engineer at McAfee Avert Labs, said. "The author may have put in all this work to make a profit rather than increase his notoriety."

Users' Symbian-based phones can become infected by visiting a malicious website and downloading apparently safe software, Marcus said.

"It's pretty clever," Marcus said. "We've seen QQ abused like this in the past because it's such a popular IM network -- the most popular IM in China -- and that's saying something."

Marcus said McAfee has not heard any reports of users actually falling victim to the ruse, nor has it heard of any smartphones actually being shut down as a result. It is, however, "a really good example of a localized malware targeting a local audience," he said.

Cellphone trojans such as this one remain few and far between for a couple of reasons, Paul Roberts, a senior analyst in the enterprise security practice at The 451 Group told SCMagazineUS.com.

"There are a lot of platforms out there: Windows CE, Windows Mobile, Symbian, so hackers can't rely on the Windows monoculture, where they can write malware once, he said. “That has hampered the evolution of mobile malware writing.”

Roberts also said that hackers lack the motivation to invest time on mobile platforms because few people, especially in America, deal with private information on their cell phones.

"What's on the typical cell phone?” he said. “The phone numbers of friends and a few photos. It's not a platform that people are using for high-volume transactions, like ecommerce or storing vital intellectual property, that hackers are interested in."

The time will come, though, he admitted. "Mobile malware is the next big thing, but we're not there yet."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.