Back in February this year we detected RedBrowser, the first Trojan for J2ME. RedBrowser is able to run on the vast majority of today’s handsets, i.e. those which support Java. The Trojan sends multiple SMSs to pay numbers without the user’s knowledge or consent. Naturally, this rapidly reduces the user’s account balance.
Today a users told us about a particular program which has been placed on a popular Russian mobile phone site. This program is allegedly designed to ‘steal money from mobile operators’. Our helpful user not only provided us with information, but also sent us a sample for analysis.
The program turned out to be a completely new Trojan for J2ME. When it’s launched, it sends 5 SMSs to 1717, a pay number. The message text is made up of code chosen at random from the Trojan’s body.
It turns out that http://games.gsmland.ru/, a site which sells games, ringtones and images, uses this number. Every game ordered via this site costs $3. This means that as a result of the Trojan sending SMSs, the user will have $15 deducted from his/ her account.
The Trojan arrives in a .jar file 32647 bytes in size, called ‘pomoshnik.jar’. (‘Pomoshnik’ is the Russian for ‘assistant’ or ‘helper’.) The .jar file also contains two images.
This new malicious program is named Trojan-SMS.J2ME.Wesber.a, and added detection for it to our antivirus databases.
Comments on this entry are closed.
An insidious piece of software classified by most security vendors as a trojan has been updated to include the bugging of a mobile user’s e-mail, the tracking of a user’s location and the ability to activate the phone’s microphone.While its classification as a trojan is the subject of some debate, updates to the FlexiSPY application are likely to cause serious concern to mobile users.The software, once physically loaded onto any Symbian, Windows Mobile or BlackBerry-based device, enables a remote user to monitor and control nearly all aspects of a mobile device.