Threat Research

Symbian malware and Internet Access Points

By Axelle Apvrille | November 04, 2010

An Internet Access Point, shortened IAP, is a "a collection of settings that define how a connection to a particular network is made" [1]. For example, it stores the Access Point Name (APN) for GPRS networks, the SSID for Wifi etc. On Symbian mobile phones, IAPs are stored in a table of the Communication Database.

In the SymbOS/Yxes worm (2009 / 2010), we had already seen the worm search through available IAPs on the mobile phone, select all outgoing WCDMA entries, add them to a list and silently use one of those to connect to Internet [2].

Since the beginning of summer 2010, we have also analyzed a bunch of malware that specifically looks for China Mobile's IAP, and hence only fully work if the victim's mobile phone is a China Mobile subscriber. This is the case of SymbOS/NMPlugin.A!tr, SymbOS/ShadowSrv.A!tr, SymbOS/Downsis.A!tr, SymbOS/Multidr.DC!tr, SymbOS/LinkHttp.A!tr ...

For example, below, SymbOS/NMPlugin.A!tr parses all IAPs and counts those using cmwap (China Mobile WAP):

BL      GetAPNAndStuff ; returns the APN of an IAP
SUB     R0, R11, #apn
LDR     R1, =aCmwap     ; "cmwap"
BL      _ZN7TPtrC16C1EPKt ; TPtrC16::TPtrC16(ushort  const*)
SUB     R3, R11, #apn
SUB     R0, R11, #cmwapstring
MOV     R1, R3
BL      _ZNK7TDesC168CompareFERKS_ ; TDesC16::CompareF(TDesC16 const&)
CMP     R0, #0 ; compare the APN with "cmwap"
BNE     loc_1C358
LDR     R3, [R11,#counter]
ADD     R3, R3, #1  ; increment counter if cmwap
STR     R3, [R11,#counter]

Even more sophisticated, we have now seen SymbOS/CReadMe.A!tr search the communication database for an IAP whose name is "CWAP(2)", and if none are found, the malware adds China Mobile's access points cmwap and cmnet.

Cmnet and cmwap access points addedDetails of the Cmwap access point added by the malware

Of course, this IAP can only be used if the victim's phone has subscribed to China Mobile's network. However, taking into account that end-users often have difficulties to configure their mobile phones to access Internet, this surely is a good idea for the malware to ensure its host is properly configured...

-- the Crypto Girl

[1] I. Campbell, Symbian OS Communications Programming, 2nd edition, Ed. Wiley, 2007.

[2] See Appendix of A. Apvrille, Symbian Worm Yxes: Towards Mobile Botnets?, in Proceedings of the 19th EICAR Annual Conference, pp. 31-54, Paris, France, May 8-11, 2010

Join the Discussion