As reported previously by Infosecurity, Spitmo was discovered in mid-September by Trusteer and was notable for being a linked version of the SpyEye malware, but for the Android platform.
This latest recode – Conbot – is also notable, says F-Secure, as it is a code port from the Android platform to the Symbian smartphone environment.
This time around, however, Conbot does not pretend to be an Opera portable browser update, but is interesting as it has bot-like characteristics.
Interestingly, Infosecurity notes, Conbot is reported to be using the same source code as Spitmo and uses a program called SystemService which, in turn, contains an embedded doe package called AppBoot.
F-Secure says that Symbian smartphones infected by Conbot generate text messages to premium rate numbers silently and in the background .
Unlike an earlier rework of Spitmo – OpFake – Conbot does not add an icon to the applications menu and once the installation is finished it does not notify the user of its existence in any way, says F-Secure.
“The first time SystemService.exe is run it collects mobile phone numbers from the contacts stored on the phone and saves them temporarily to c:\Private\EE1DCDAA\contacts.xml. The trojan the contacts [removed].ru/connect.php and sends the contacts.xml and IMEI of the phone to the remote server”, says F-Secure’s weekend posting on the code”, says the security firm’s report on the malware.
Periodic connections are then made to the same server with the IMEI, time, date, and operating system version. The remote server then generates an XML-file that contains instructions on where to send text messages.
This allows the malware to be customised for the country network that the infected smartphone is located in, Infosecurity notes.
To stop the user being alerted by network reports on text messages, the Conbot malware auto-deletes certain types of incoming messages.
The malware can even receive instructions to route its requests that are linked to a third-party command-and-control server
Commenting on the arrival of Conbot, the Softpedia newswire quotes F-Secure’s researchers as saying that the quiet nature of the malware suggests it may be being promoted as a `security certificate update.’