Threat Research

SymbOS/Album: One Step Closer To Mobile Botnets

By Axelle Apvrille | July 15, 2010

The more I analyze the SymbOS/Album malware, the more it scares me.

The main malicious executable, Album.exe, is actually capable of processing incoming commands included in SMS messages sent by the value-added service provider number 106650xxx. Typical commands are: download and install software, get phone information or update software. Now, that starts to look like a botnet, even though it isn't (yet?) a very scalable way to communicate with bots because the bot master must send an SMS to each bot it manages.

More in details, the Album executable creates a global message queue (RMsgQueueBase::CreateGlobal), named 'my_pf_queue_1'. It is notified as soon as a message arrives in the queue (RMsgQueueBase::NotifyDataAvailable), retrieves the message (RMsgQueueBase::Receive) and processes its command.

Album-ReceiveMsg Figure 1. Disassembly of the function reading a message from the message queue.

The command parser looks for command strings such as [!@#] or [%@#] in the service provider's SMS and triggers the corresponding command. 4 different commands have been identified:

  • DoCmdSPOrder: sends a given number of SMS and logs the command in a file (c:\private\2002A22C\init_sp_order.txt)

  • DoCmdDlAndInstall: downloads a given software package and installs it. We will discuss that one further.

  • DoCmdGetPhoneInfo: gets phone's model, IMEI and IMSI, and subsequently send 2 SMS.

  • StartUpdatePolicy: modifies the update time and interval with the service provider. Information is logged in c:\private\2002A22C\frame_update_date.txt and c:\private\2002A22C\frame_update_interval.txt respectively.

Album-Commands-highlight Figure 2. Disassembly of the Base Command Parser DLL. Shows different types of commands.

In the case of the download and install command, the Base Command Parser DLL calls a function of the Frame HTTP DLL (FrameHttpEngine.dll). This module implements a web client with a download manager. The URI is added to a queue of URI to download, and the HTTP engine periodically checks this queue and downloads the requested URIs. The downloaded URI is dumped on the mobile phone in a file named c:\data\1.sisx. Then, as in SymbOS/Yxes, SymbOS/Album uses the SW Installer Launcher API to silently install the package on the mobile phone (RSWInstSilentLauncher::SilentInstall). The end-user sees no popup at all and cannot accept/decline this installation.

Album-SilentInstall Figure 3. Once the URI is successfully downloaded, call the function that installs the package


Finally, for those with doubts, it is true a value-added service provider (VASP) might be expected to implement some kind of communication protocol between their server and the end-user's mobile phone. But a legitimate VASP would make its activity and induced costs (SMS sending, WAP connections) explicit, and only install with user's full consent. On the contrary, a Trojan would certainly use unexplicit names such as "Phone Framework" or "MMS Album" and care to hide its SMS and the installation of downloaded software.

-- the Crypto Girl

Join the Discussion