NEWS FROM THE LAB - Wednesday, February 18, 2009

"Sexy View" Trojan on Symbian S60 3rd Edition Posted by Response @ 18:14 GMT

We've an interesting mobile case to report…

One of today's samples is a trojan compiled for S60 3rd Edition phones. It's detected as TrojanWorm:SymbOS/Yxe.A.

This is something we don't see very often. There are spy tools and other privacy threats directed at S60 3rd Edition phones, but malware is still mainly an issue on S60 2nd Edition phones.

S60 3rd Edition uses a different binary structure than 2nd Edition, and then all 3rd Edition applications must be signed. What's special about Yxe is that all evidence suggests it uses a valid Symbian Certificate.

With this certificate, the trojan was signed. And being a signed application it gains privileged access.

The source of this trojan is China.

Here you can see the language options, EN and ZH:

Trojan:SymbOS/Yxe package info

Did you also notice the "Sexy View" and "Play Boy"? That should give you a good idea of the Social Engineering that's being utilized.

Our mobile analysts are still working the case. We'll have more for you as it develops.

Updated to add: A description is now available.

Updated to add: Our detection name was changed from Trojan to Worm on February 25th.