Malware descriptions

Mobile phone trojans

You may remember that back in February this year we detected RedBrowser, the first Trojan for J2ME. RedBrowser is able to run on the vast majority of today’s handsets, i.e. those which support Java. The Trojan sends multiple SMSs to pay numbers without the user’s knowledge or consent. Naturally, this rapidly reduces the user’s account balance.

Today one of our users told us about a particular program which has been placed on a popular Russian mobile phone site. This program is allegedly designed to ‘steal money from mobile operators’. Our helpful user not only provided us with information, but also sent us a sample for analysis.

The program turned out to be a completely new Trojan for J2ME. When it’s launched, it sends 5 SMSs to 1717, a pay number. The message text is made up of code chosen at random from the Trojan’s body.

It turns out that http://games.gsmland.ru/, a site which sells games, ringtones and images, uses this number. Every game ordered via this site costs $3. This means that as a result of the Trojan sending SMSs, the user will have $15 deducted from his/ her account.

The Trojan arrives in a .jar file 32647 bytes in size, called ‘pomoshnik.jar’. (‘Pomoshnik’ is the Russian for ‘assistant’ or ‘helper’.) The .jar file also contains two images.

We’ve named this new malicious program Trojan-SMS.J2ME.Wesber.a, and added detection for it to our antivirus databases.

Mobile phone trojans

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox