Anatomy of a Symbian Malware

Yesterday, I found a sample of Symbian malware while I was working on generic stuff. This kind of malware is quite difficult to spot, so today we are going to analyze this sample, which targets Symbian based smartphones.

This malware spreads via a SIS file, which is a sort of archive, so first of all, let’s take a look at the content of this package.

Once the malware is installed on the victim mobile, it drops the following files:

The red group contains the components which are strictly related to the current malware, the yellow group clusters additional components required.

After a quick analysis, we can locate the origin of this malware. This malware comes from Russia, as confirmed by the strings being used in the malware and also from several links on the web which are directly related to this malware and its author.

The following Python code is the brain of this malware, for brevity we will report only the relevant parts.

The malware code is mainly contained inside an “infinite” loop:

firstly, the malware sends a message to a Russian (in this case) premium rate number with a custom text:

secondly, the malware waits for any incoming messages, in order to suppress any notification to the victim user:

at the end of each loop, the malware tries to clean all its traces on the mobile, before repeating the whole loop:

The code of this malware is really ugly, I doubt if the author has Python programming skills, in fact the author uses four similar code blocks repeated in an infinite loop. Eventually the malware will stop sending messages when the victim’s phone has no more credit.

Sophos detects this malware as: Troj/SymbSms-A.