The analysis of SymbOS/NMPlugin.A!tr shows that, once again, a mobile malware was signed using the Symbian’s Express Signed procedure. It is the fourth malware we notice doing so since 2009 (and it is likely I missed a couple). See the table below.
Signer’s identity (probably fake or impersonated)
Probable signing date
XiaMen Jinlonghuatian Technology Co. Ltd
ShenZhen ChenGuangWuXian Tech. Co.
XinZhongLi Kemao Co. Ltd
TianJin YouLiAn Technology, Co. Ltd.
Beijing GuoShengMingDao Technology Co. Ltd.
Xiamen Jindoucheng Tech Co. Ltd.
October 14, 2008
Several versions. First one: December 18, 2008
Several versions. First one:
June 17, 2009
July 2, 2009
August 23, 2009
January 23, 2010
Shenzhen ZhongXunTianCheng Technology Co. Ltd
November 20, 2009
Beijing Tianjia Chuangmeng Digital Technology Co., Ltd
December 28, 2009
Xiamen DeFangDa Qiye Co.Ltd.
May 27, 2010
Table 1. Express Signed mobile malware. Symbian has been notified and all certificates are now revoked.
You may have noticed all those certificates share similarities in their common name: it starts with the name of a major town in China, the locations of Shenzhen and Xiamen are re-used, the middle part of the name consists of concatenated names, and it ends with something like “Technology Co. Ltd”. Coincidence? This is currently under investigation.
Four “Symbian-signed” malware is not much, but it proves there is a flaw. Thus, I do question the use of application signing as far as security is concerned. Does it make life of malware authors more difficult? For script kiddies, perhaps, for others, probably not:
1/ It costs 200 euros for a PublisherID and 10 euros for each ContentID (i.e each signature). If the malware author is part of a criminal organization, he can afford this. Otherwise, he can use a stolen credit card or a compromised PayPal account.
2/ There are only little chances of being successfully traced back. The malware author does not need to provide his personal identity: he can use fake names, addresses and locations. A valid e-mail is needed to retrieve the certificate, but everybody knows e-mails are hardly an identification... Finally, the malware author may access the Internet through several proxies to complicate IP address tracking.
3/ The malware will probably not be detected. Only a small percentage of Express Signed applications ever get audited, and if ever they do, the tests mainly focus on quality - e.g it installs ok - so security concerns may go unnoticed. If, by chance, the malware is detected, Symbian will revoke the certificate, but only few phone owners enable OCSP so plenty of other careless users will still install the malware...
I do not know exactly what Express Signed was initially meant for - quality? business? - but, no, it can’t be security.
-- the Crypto Girl