Archive for the ‘Spitmo’ Category

Mobile threats on the desktop

October 20th, 2011 No comments

The MMPC has been routinely monitoring threats (via the desktop) that affect different mobile platforms such as Symbian, Java ME, Android, RIM, iOS and Windows Mobile. One of the increasingly common ways we see mobile devices being compromised is by allowing the user to download and install applications independently. This is because the consumer cannot know if the app might be malicious, thus, protection from mobile threats on the desktop is vital.

We have observed mobile malware posing as a new application, such as a media player, or online dating application, or in some instances being bundled with other known applications that are actually repackaged versions of the legitimate ones. The following chart shows the coverage for mobile malware detections on computers over the past eight months:

Mobile threats detected on desktops by platform
Figure 1 – Mobile threats detected on desktops by platform in 2011


Table accumulative totals of mobile threats detected on desktops

Figure 2 – Table accumulative totals of mobile threats detected on desktops in 2011


As shown in the table above, we detected more malware targeting the Symbian platform than malware targeting other mobile platforms. Two notable detections for this year are Trojan:SymbOS/Zitmo.B and Trojan:SymbOS/Spitmo.A; Zitmo refers to Zeus-in-the-Mobile and Spitmo is SpyEye-in-the-mobile distributed by their respective Win32 malware counterparts, Zbot and EyeStye. These families have data-stealing routines that can target sensitive account details. In the past, the main intent of Symbian-specific malware was to spread via Bluetooth and SMS (by distributing a URL leading to a copy of the malware), or to overwrite the mobile device’s system files, rendering the device unusable. However, malware on this platform seems to be evolving.

Java ME (Java Platform, Micro Edition) follows Symbian as the second most prevalent platform for mobile threats that we detect. Its prevalence might be attributed to its flexibility, in terms of running in various mobile devices functioning under Symbian and Windows CE. The majority of Java ME-based detections are SMS senders that make a profit by allowing infected mobile devices to accumulate high SMS costs without the user’s knowledge (see Trojan:Java/Redbrowser.B, Trojan:Java/SMSer.T and Trojan:Java/Swapi.H for more details on prevalent Java ME-specific threats).

Android-specific malware comes in at (a relatively low) third place, compared to the top two platforms, but its prevalence is increasing in terms of new threats found in 2011, since we discovered the first Android-specific malware in August 2010 (Trojan:AndroidOS/Fakeplayer.A).

In conjunction with malware targeting the Android platform, the threat Exploit:Unix/Lotoor (an ELF binary capable of rooting or escalating privileges on Android 2.2 and below for the main malware components, such as DroidDream, Pjapps, BaseBridge, and DroidKrungFu, to name a few) is essentially a rootshell exploit that is used by malicious applications to allow installation of other components (or the actual malware payload) without the need to ask for user permission. Lotoor was one of the most prevalent exploits affecting operating systems as recently reported in version 11 of the Microsoft Security Intelligence Report. An emerging threat named Exploit:Unix/GingerMaster has the same intent but aims to elevate privileges on Android 2.3 (Gingerbread platform) as used by the malware Trojan:AndroidOS/GingerMaster.A.

The rate of increase in the number of Windows Mobile-specific malware has been waning with only three new threats detected so far this year, namely: TrojanDownloader:WinCE/MobUn.A, Trojan:WinCE/MobUn.A and Trojan:WinCE/Zitmo.A. The first two work together with the objective of sending SMS text messages from an affected mobile device to premium-rate numbers, resulting in unexpected and often large telecommunication charges (similar to the Java ME-specific malware behavior, and Zitmo, which targets other mobile platforms).

iOS and RIM share the lowest in threat count for this year. For iOS, there have been no reported incidents of new threats for this year, and RIM had only one (Zitmo, with almost the same functionality as its Android, Symbian and WinCE counterparts).

Mobile threat infection on desktops can be made possible when users venture into third-party application markets or file-sharing sites that allow download onto the desktop. Users often search from their desktops for unlocked or full versions of mobile applications already available in the official market, but they may be unaware that the software they are getting may be an application that has been repackaged with malware that can run stealthily without the user being made aware of the underlying payload. The payload can include data-theft, silent SMS-sending in the background, and downloading and installing of other malware components, among other things. This malware (or links to it) could also be spammed or sent through mail, using social engineering to entice the user to download a copy of the malware on to the desktop. So it’s always best practice to scan applications downloaded whenever possible, even when it’s already on a mobile device.

MMPC strives to protect users by continuously screening mobile threats through our products, such as Microsoft Security Essentials, Forefront Client Security, and Forefront Endpoint Protection, in addition to our cloud service Windows Intune.


Marianne Mallen