Threat Research

Symbian Signed Mobile Malware: One Gang?

By Axelle Apvrille | July 29, 2010

The analysis of SymbOS/NMPlugin.A!tr shows that, once again, a mobile malware was signed using the Symbian’s Express Signed procedure. It is the fourth malware we notice doing so since 2009 (and it is likely I missed a couple). See the table below.

Malware name

Signer’s identity (probably fake or impersonated)

Probable signing date


XiaMen Jinlonghuatian Technology Co. Ltd

ShenZhen ChenGuangWuXian Tech. Co.

XinZhongLi Kemao Co. Ltd

TianJin YouLiAn Technology, Co. Ltd.

Beijing GuoShengMingDao Technology Co. Ltd.

Xiamen Jindoucheng Tech Co. Ltd.

October 14, 2008

Several versions. First one: December 18, 2008

Several versions. First one:

June 17, 2009

July 2, 2009

August 23, 2009

January 23, 2010


Shenzhen ZhongXunTianCheng Technology Co. Ltd

November 20, 2009


Beijing Tianjia Chuangmeng Digital Technology Co., Ltd

December 28, 2009


Xiamen DeFangDa Qiye Co.Ltd.

May 27, 2010

Table 1. Express Signed mobile malware. Symbian has been notified and all certificates are now revoked.

You may have noticed all those certificates share similarities in their common name: it starts with the name of a major town in China, the locations of Shenzhen and Xiamen are re-used, the middle part of the name consists of concatenated names, and it ends with something like “Technology Co. Ltd”. Coincidence? This is currently under investigation.

Four “Symbian-signed” malware is not much, but it proves there is a flaw. Thus, I do question the use of application signing as far as security is concerned. Does it make life of malware authors more difficult? For script kiddies, perhaps, for others, probably not:

1/ It costs 200 euros for a PublisherID and 10 euros for each ContentID (i.e each signature). If the malware author is part of a criminal organization, he can afford this. Otherwise, he can use a stolen credit card or a compromised PayPal account.

2/ There are only little chances of being successfully traced back. The malware author does not need to provide his personal identity: he can use fake names, addresses and locations. A valid e-mail is needed to retrieve the certificate, but everybody knows e-mails are hardly an identification... Finally, the malware author may access the Internet through several proxies to complicate IP address tracking.

3/ The malware will probably not be detected. Only a small percentage of Express Signed applications ever get audited, and if ever they do, the tests mainly focus on quality - e.g it installs ok - so security concerns may go unnoticed. If, by chance, the malware is detected, Symbian will revoke the certificate, but only few phone owners enable OCSP so plenty of other careless users will still install the malware...

I do not know exactly what Express Signed was initially meant for - quality? business? - but, no, it can’t be security.

-- the Crypto Girl

Join the Discussion