We’ve received a sample of a new mobile malware in the MultiDropper family, variant CG. MultiDroppers are like a collection of top 10 hit songs, a ‘hits CD’. They also require about as much creativity. Take a successful hit like SymbOS/Cabir or SymbOS/Commwarrior, mix in a SymbOS/Appdisabler or SymbOS/Skulls.

The trouble with hits CDs is that you probably already own all the albums containing the hits. Maybe you get a bonus song now and then. In the same manner we already detect most of the malware in most mobile MultiDroppers. Every so often we do get the bonus unseen or rare single (malware).

MultiDropper.CG is the first in the series to include spyware, SymbOS/Mobispy.A.

SymbOS/Mobispy.A is based on an early version of commercial call and SMS recording software. SymbOS/Mobispy.A installs on a phone and records incoming and outgoing SMS messages. It also tracks the phone numbers of all dialed and received calls. The purchaser of the software gets an account on a central server. SymbOS/Mobispy. A sends all the data it’s captured to that account.

Considering that data-stealing and other for-profit malware have made their entrance on mobile phones, it is worrisome to see spyware make its debut. Around eight months ago a commercial remote phone monitoring application was released. There was much speculation on how much time it would take for malware authors to integrate it into their own malware. We have seen malware authors create custom prototype code to implement new attacks but it is interesting to see them purchase commercial spyware to do their job for them.

It would appear that the SymbOS/MultiDropper.CG author has made a wise choice in using commercial products, avoiding the hassle and expense of creating a new hit single by using an existing one. There are two things though that complicate the picture:

  • The software is licensed for only one phone ID(IMEI). As soon as the monitoring account on the central server receives logs from an unregistered IMEI it’s expected to be shut down.
  • It is unlikely that the author of SymbOS/MultiDropper.CG is the original purchaser of this copy of the software. Only the original purchaser would have access to the results of SymbOS/Mobispy.A’s spying.

Although SymbOS/MultiDropper.CG does not appear likely to be a winner, it does signify a probable switch in malware authors’ goals. Rather than destroying your data and information, they’re stealing it for profit.