First J2ME Mobile Phone Trojan Spotted

Russian anti-virus specialist Kaspersky Lab has discovered evidence of the first mobile phone Trojan targeting J2ME (Java 2 Platform, Micro Edition) devices.

The sample Trojan, identified as Redbrowser.A, works on most phones with J2ME support, raising fears that malware writers are expanding the target beyond just Symbian-based smart phones.

Redbrowser.A is a J2ME-based Java Midlet that pretends to be a WAP (Wireless Application Protocol) browser that offers free WAP browsing.

Instead, once a phone is infected, the Trojan sends text messages to premium rate numbers, saddling the victim with exorbitant messaging charges.

The infected user gets charged between $5 and $6 for each text message sent by the Trojan, said Shane Coursen, Kaspersky Lab’s senior technical consultant.

In an interview with eWEEK, Coursen said the Trojan, which was not found in the wild, is further proof that the mobile malware threat “is expanding rapidly.”

Click here to read more about cell phone viruses.

“We now know that it’s not only a threat to smart phones. All these regular phones that support J2ME are vulnerable and can become a major target,” Coursen added.

The Redbrowser.A Trojan can be downloaded to the victim handset either via the Internet (from a WAP site) or via Bluetooth or a personal computer, he said.

F-Secure, a Finnish anti-virus vendor, has issued updated virus definitions for the latest threat.

“The fact that Redbrowser claims to send free SMS messages as part of its normal operation, is to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering,” said F-Secure researcher Jarno Niemela.

He said the social engineering texts are in Russian, which limits the Trojan only to Russian-speaking countries.

Read more here about the Cabir worm targeting smart phones.

Niemela said the Trojan contains a fixed list of 10 phone numbers to which it will send SMS messages.

After the social engineering texts are shown, Redbrowser.A it will pick one number from the list at random and send a SMS message to that number.

“The message sending function is in an infinite loop, so unless terminated by the user, it will send a constant stream of messages. Each of those message will be changed to the user’s account,” Niemela said.

A separate blog entry by F-Secure’s Mikko Hypponen contains screenshots of Redbrowser infecting a Nokia 6630 cell phone.

“Some old Java viruses like Strangebrew do work on some Java phones, but RedBrowser is the first malware targeting Java phones on purpose,” Hypponen said, noting that it is also the first mobile malware that tries to steal money.

“The threat is still very limited; this thing does not spread by itself, and we have no direct reports of anybody being hit by it in Russia [where the first reports were from],” he added.

Hypponen said the Redbrowser Trojan works on many low-end closed phones.

F-Secure has successfully tested it under Nokia 9300 (Communicator, running Symbian Series 80), Nokia 6630 (Symbian S60 smart phone), Nokia 5140i (low-end Series 40 phone).

“We’ve also heard it works under BlackBerrys with J2ME support. We will be testing it with Nokia 6310i—one of the first phones with Java support,” he said.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.