The Latest in IT Security

OpFake: Premium Rate SMS Trojan That Shares Code w/ Spitmo

26
Oct
2011

One of the more interesting cases we’ve analyzed this year is Spitmo, short for SpyEye in the mobile.

When some versions of SpyEye, an infamous banking trojan, encounter mTANs, a mobile-based defense against computer-based man-in-the-browser attacks, a counteroffensive is offered: Spitmo, a mobile trojan that circumvents the authentication process.

It’s a rather interesting crossover attack which uses clever techniques and code.

So naturally, when a couple of our analysts recently fired up some new Symbian automation they’ve developed, one of the first things they did was to feed it Spitmo. And the results were quite surprising!

Our new system discovered 54 samples that share code with Spitmo — but that aren’t Spitmo. These “cousins” of Spitmo are premium rate SMS trojans that target Russian mobile phone users (using Russian SMS short codes). We’ve named these trojans OpFake because the installer claims to be Opera Mini (OperaUpdater.sisx).

But that’s just a part of our story.

Our analysis of the OpFake Symbian binaries uncovered an IP address, and a search for that IP address found a server online from which Windows Mobile versions of OpFake can also be accessed via a publicly available folder containing over 5,000 sub-folders. Each sub-folder contains a unique and encrypted configuration file. We suspect these folders are visible due to a configuration error as the Symbian folders are inaccessible.

OpFake: use of Spitmo components, Symbian, Windows Mobile, (perhaps other OS?), premium rate SMS messages… somebody is running quite a developed operation from their server in Saint Petersburg.

The server’s IP address has been reported to CERT-FI.

Technical analysis of the OpFake binaries and details of the server’s folder structure will be posted tomorrow.

Leave a reply


Categories

TUESDAY, OCTOBER 08, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments