Yet another Trojan based on Spitmo source code surfaces

Even though nearly all new mobile malware in Q3 was aimed at Android phones, users with mobile devices running other mobile platforms are far from safe.

F-Secure researchers have lately noticed quite a few new Trojans targeting Symbian users, and the interesting thing about them is that they have all be modeled in part on the mobile SpyEye version for that particular platform.

First came OpFake – an SMS Trojan posing as an update for the Opera Mini browser – which also had its Windows Mobile counterpart.

Less than a month later, they have spotted another SMS Trojan which they named ConBot. Based on the Spitmo source code, it can perform a variety of stealthy actions and has also bot characteristics.

This one doesn’t masquerade as an Opera Mini update. “Once the installation is finished it does not notify the user of its existence in any way,” say the researchers, and speculate that it is likely promoted as a “security certificate update”.

Among its capabilities are:

• Collecting mobile phone numbers stored on the phone and sending them – along with the phone’s IMEI, time, date, and operating system version – to a remote server located on a Russian domain
• Receiving a configuration file from the aforementioned domain instructing it on where to send text messages
• Monitoring incoming text messages and those that are moved from the Outbox to the Sent folder. If an incoming message looks like it may alert the user to ConBot’s presence, the Trojan waylays and deletes it.
• As a final touch, the malware makers have decided that they have had enough of living in fear of their C&C servers getting shut down and their mobile botnet crippled. So, they made it possible for the C&C server URL to get updated via SMS.