NEWS FROM THE LAB - Monday, March 22, 2010

Merogo SMS worm Posted by Mikko @ 15:21 GMT


We're investigating a series of SMS Worms, found in the wild in China. Known as Trojan:SymbOS/MerogoSMS, these worms try to spread on Symbian Series 60 3rd Edition devices. Symbian continues to be by far the most common smartphone operating system in the world.

These worms spread by sending text messages to other phones. The text messages contain variable messages (in Chinese), and a link to a website. If the link is followed, the user is prompted to install an application — infecting the phone and restarting the SMS spreading.

In addition to spreading, these worms seem to have the capability of sending messages to expensive premium-rate numbers.

cserverAs unsigned software can not be directly installed on Symbian Series 60 3rd Edition devices by default, the SISX installation packages of this worm have indeed gone through the Symbian Signed process. Apparently they were submitted through the Express Signing mechanism. The signed installation files contain further, unsigned SISX files which the host installer will deploy. Such mechanism makes it hard for certification systems to get a full view of what the program actually does.

Symbian Foundation has already revoked the publisher ID that was used for these packages.

We have no reports of this malware from outside China.