This application requires Javascript for optimal performance.

SymbOS/Album.A!tr - Released Jun 29, 2010 - Last Updated Jul 07, 2010

Alias/es

Album.A (NetQin)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Abnormally high bill

Detailed Analysis

SymbOS/Album.A!tr is a malware affecting mobile phones running Symbian OS 9 or greater.
This malware silently:
  • sends several SMS messages (at the victim's expense)
  • installs new packages
  • connects to WAP websites.

This malware targets users located in China, who may experience heavy bills due to intensive SMS/Internet traffic.
The malware does not fully work elsewhere in the world, so end-users located in other countries should only suffer small expenses (due to the initialization SMS and Internet traffic, occuring in any case).



Technical Details


This malware poses as an MMS Album software managment. Its package, usually named PF_V100_Express_Signed.sis, actually contains 2 other sub-packages: an extended command parser package (ExtendCmdParser) and the alleged MMS Album package.
The malware installs the following files on the mobile phone:
  • C:\sys\bin\datagramservice.dll
  • C:\sys\bin\smsdatagramservice.dll
  • C:\resource\plugins\SMSDatagramService.RSC
  • C:\sys\bin\FrameHttpEngine.dll: a small web client, with downloading management capabilities
  • C:\sys\bin\VfSystemInfo.dll: a DLL to collect phone information such as the phone model, IMEI and IMSI
  • C:\sys\bin\BaseCmdParser.dll: a command parser
  • c:\sys\bin\ExtendCmdParser.dll: an extension to the command parser
  • c:\private\101f875a\import\[2002A22C].rsc: a resource to automatically start the Album executable
  • c:\private\2002A22C\1.txt: useless text file to ensure the private path is created
  • C:\sys\bin\Album.exe: main executable
  • C:\sys\bin\StartUpWapServer_0x2002A22F.exe: other malicious executable
  • C:\resource\apps\StartUpWapServer_0x2002A22F.rsc: resource ensuring the StartUpWapServer_0x2002A22F.exe is restarted at reboot
  • C:\private\10003a3f\import\apps\StartUpWapServer_0x2002A22F_reg.rsc
  • C:\resource\apps\StartUpWapServer_0x2002A22F.mif

The malware silently sends SMS to the following numbers:
  • 13410252xxx: SMS text contains the victim's IMSI and the malware's version
  • 10665xxx: SMS text is "1*1#"
Those numbers are only valid in China. Note they do not include China's international prefix, so outside China, those SMS messages are not delivered to the appropriate recipient.
The malware ensures those SMS messages are silently sent, i.e no popup asks for end-user's approval and they are not written to the phone's "Sent" message box.

The malware also visits a Chinese WAP website, from where end-users may download several ringtones, videos or games (see figure below).

Figure 1. Typical WAP site the malware visits.

The malware has the capability to identify incoming commands in SMS messages from the malicious service provider, and act depending on those commands, typically get phone information, download and install software or update. The installation of new software is done silently, without user's approval.


This malware has been signed by Symbian Express Signed program. The malware's certificate has been revoked. Enable OCSP checking on your mobile phones to check for revoked certificates.

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1918355