The recent distribution of digitally signed mobile malware raises troubling questions about Symbian's automated approval procedure.

Symbian has promised to tighten up its testing procedures following the distribution of the Sexy Space mobile worm, described by security firms as the first text message worm in history.

The malware posed as a legitimate application but was actually programmed to steal subscriber, phone, and network information from victims. This information was forwarded onto a site under the control of hackers...

The website automatically pushes an SIS installation package onto users' Symbian phones. "You get one prompt: Install Sexy Space? Yes or No," as you can see on this video :

As you you see, because the installation package has been signed by Symbian, no further warning appears. The malware was submitted through Symbian's Express Signing procedure - where the majority of applications are not inspected by humans !

In response to the incident, Symbian promised to review its security procedures.

"As soon as we were notified of that (the following day) we revoked both the content certificate and the publisher certificate used to sign the malware,"

a posting on Symbian's security blog explains.

"That means that the Symbian software installer will not now install the malware, providing that revocation checking is turned on."

"We do have security measures which try to catch submitted malware before it gets signed, and we are currently investigating how those can be improved in the light of this latest incident,"

it said.

You can read an FAQ by F-Secure about this here

Source : theregister