Can't trust the Chinese: mobile phone botnet

F-Secure has identified three China-based companies as the creators of the "Sexy Space" Trojan, which was identified last week to have passed through Symbian Foundation's digital-signing process.

XiaMen Jinlonghuatian Technology, ShenZhen ChenGuangWuXian Technology, and XinZhongLi TianJin cloaked the malware, also known as Yxe, and submitted it to the Symbian Foundation under its Express Signing program, security company F-Secure said Wednesday in a statement.

Developers are required to submit mobile applications to the Symbian Foundation for evaluation, before the applications are accepted and enabled for handsets running the Symbian operating system. The apps are first automatically scanned for viruses. After that, random samples are submitted for human audit. Sexy Space had not been subjected to human scrutiny, Symbian's chief security technologist Craig Heath said last week.

F-Secure's senior security response manager, Chia Wing Fei, explained that the Trojan would have allowed attackers to simply send a link via text message to a malicious Web site and prompt the mobile recipient to download the worm. Once the malware would be installed, it could send similar text messages to all contacts listed on the phone.

"These messages are sent in your name and from your phone," Chia said. "It means you will pay for each SMS sent by the worm. A typical cost for a single text message might be 5 cents. If you have 500 contacts in your phone, an infection would cost you ($25)."

A piece of mobile malware has the capacity to enable a hacker to build a botnet of phones, according to security vendor Trend Micro.

The Symbian Trojan, which Trend Micro detects as SYMBOS_YXES.B, poses as a legitimate application called ACSServer.exe and calls itself "Sexy Space". It steals the user's subscriber, phone and network information, and connects to a Web site to send that information back to a hacker. It can also target the victim's contacts with spam SMS messages, and pull the content in those messages from the malicious Web site.

"In short, it appears to be a botnet for mobile phones," wrote Jonathan Leopando of the Trend Micro technical communications team in a blog post on Wednesday.

However, the malware itself is classified as low risk, with a low distribution potential, according to a Trend Micro analysis.