New Mobile Malware Steals
I haven’t covered mobile malware for a while and although there have been quite a lot of activity most of it has been limited to new variants or uninteresting new malware. The last week has seen several significant developments. The first one was ‘crossover‘ a cross-infecting Windows desktop to Mobile OS or Windows CE infector which I covered in an earlier posting.
The second one is also rather interesting, and another first, in more ways than one. This new threat is known as Redbrowser and unlike the mobile malware we already have it doesn’t target Palm OS, Symbian OS or Windows CE, [or PocketPC, Mobile OS]. This one targets Java on mobile phones. It is also the first mobile malware that tries to steal money.
How many of you out there have phones that have Java support built-in, or have downloaded a Java VM for your smartphone or PDA?
Well, most if not all of you are potentially a target for Java based malware.
Redbrowser is a Java application in the form of a JAR format archive, sometimes called "redbrowser.jar", The files size is 54,482 bytes and it can get on your Java enabled device only one way, you download and install it. It is a Trojan, not a worm or virus.
This archive "redbrowser.jar" contains the following files:
- Manifest.mf - 321 bytes
- FS.class - 2,719 bytes
- FW.class - 2,664 bytes
- M.class - 5,339 bytes
- SM.class - 1,945 bytes
- icon.png - An image file 3,165 bytes long
- logo101.png - An image file 16,829 bytes long
- logo128.pnh - An image file 27,375 bytes long
This is what F-Secure has to say about Redbrowser.A:
"Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number.
The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents. But what Redbrowser actually does is to send SMS messages to one specific number thus it may cause financial losses to the user.
The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering.
The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries."
The above picture is from F-Secure
The so-called FREE SMS it uses is not free, the Trojan actually sends text messages to premium rate numbers, costing users between $5 and $6 per SMS. Luckily for most of us at the moment, Redbrowser currently targets subscribers of Russian mobile service providers; Beeline, MTS, and Megafon.
The other good news is that this threat is easy to remove.
However, don’t expect this to be the case with later versions, or new mobile malware which uses the same idea to extract money from you.
Some old Java viruses like Strangebrew; written back in 1998 which was the first virus to infect Java files, have been found to work on some Java phones, but RedBrowser is the first malware targeting Java phones on purpose.
Links:
http://www.f-secure.com/v-descs/redbrowser_a.shtml
http://www.f-secure.com/weblog/archives/archive-022006.html#00000823
http://www.sarc.com/avcenter/venc/data/trojan.redbrowser.a.html
Please note that this blog has now moved to my own hosted domain here: http://momusings.com/momusings/.
A full RSS/ATOM feed can be found there.
All the data up to the end of December 2006 will be left here, however all postings from the 1st of January 2007 onwards will only be available at this blogs new home.
ALL future postings will only be available at the new site.
