Mobile phone trojans

You may remember that back in February this year we detected RedBrowser, the first Trojan for J2ME. RedBrowser is able to run on the vast majority of today’s handsets, i.e. those which support Java. The Trojan sends multiple SMSs to pay numbers without the user’s knowledge or consent. Naturally, this rapidly reduces the user’s account balance.

Today one of our users told us about a particular program which has been placed on a popular Russian mobile phone site. This program is allegedly designed to ‘steal money from mobile operators’. Our helpful user not only provided us with information, but also sent us a sample for analysis.

The program turned out to be a completely new Trojan for J2ME. When it’s launched, it sends 5 SMSs to 1717, a pay number. The message text is made up of code chosen at random from the Trojan’s body.

It turns out that http://games.gsmland.ru/, a site which sells games, ringtones and images, uses this number. Every game ordered via this site costs $3. This means that as a result of the Trojan sending SMSs, the user will have $15 deducted from his/ her account.

The Trojan arrives in a .jar file 32647 bytes in size, called ‘pomoshnik.jar’. (‘Pomoshnik’ is the Russian for ‘assistant’ or ‘helper’.) The .jar file also contains two images.

We’ve named this new malicious program Trojan-SMS.J2ME.Wesber.a, and added detection for it to our antivirus databases.