NEWS FROM THE LAB - Friday, September 30, 2005

A new Symbian trojan that locks the phone MMC card Posted by Jarno @ 13:27 GMT

SymbOS/Cardblock.A is a Symbian trojan that is the first known trojan to attack phones MMC card. SymbOS/Cardtrap.A used phones MMC card in trying to get users PC infected with Win32 malware, but Cardblock.A is the first one that actually attacks the MMC card itself.

SymbOS/Cardblock.A is a trojanized version of Symbian application InstantSis created by Biscompute.

When installed Cardblock.A appears be a cracked version of InstallSis providing user with ability to repack already installed SIS files and copy them to another device.

However when user tries to use Cardblock.A to copy an application, a payload triggers that blocks the MMC memory card of the phone and deletes critical system and mail directories.

Blocking the memory card is done by setting a random password to the card. So that after the phone has been once rebooted, the card is no longer accessible on the phone or any other device, without entering a password. And as the password is a random code, that is not provided to user, the card and it's contents are unusable until unlocked.

Deleting system directories destroys information about installed applications, users MMS and SMS messages, phone numbers stored on the phone and other critical system data. Which means that user loses access to applications he has installed into the phone, and his phone numbers and other important data.

Some phone such as Nokia 6670 and Nokia 6600 survive from deletion of system directories quite easily, just a reboot and phone is usable. But the user data and MMC card are still lost.

Unfortunately some phones that use newer versions of Symbian OS, such as Nokia 6630 are hit harder. These phones will fail to reboot and display message that requests the phone to be taken to maintenance. However the phone can be recovered with special hard format key combination.

The picture in this blog entry is from one such phone. The message is in Finnish which translated in English means, "Connection to phone failed, please contact supplier of the phone". The interesting bit is that we had the phone set in English when infecting it, but the Cardblock.A damages the OS so badly, that after reboot it even doesn't remember which language it should use.

Database update for F-Secure Mobile Anti-Virus has been published and it is capable of detecting and removing Cardblock.A. We are still working on how to get locked MMC cards functional again.

Needless to say that the Cardblock.A is not a threat to people who don't use pirate copied software, as it pretends to be a pirate copied version of commercial application.