Hackers release J2ME version in order to target more phones

Feb 7, 2009 09:39 GMT  ·  By

Kaspersky researchers warn that the previous mobile trojan transferring credit from infected phones without authorization has seen a new variant that is able to run on J2ME phones. This allows the attackers to target a significantly larger number of mobile customers.

Two weeks ago, malware analysts from the Kaspersky anti-virus vendor advised about a new type of malware that targets mobile phones running the Symbian OS. Even though restricted to Indonesia only, the trojan, which was written in Python, had the potential to make the jump to other countries as well.

The Trojan-SMS.Python.Flocker abused the credit transferring services offered by mobile operators in Indonesia. Some providers allow customers to perform such operations only by sending a SMS message to a special 151 service number. Once installed, the trojan abused this feature by sending unauthorized messages to 151 and transferring credit in small amounts (between $0.45 and $0.90) to a number controlled by its authors.

However, the VXers must have realized that phones able to run Python are not nearly as popular in a country like Indonesia, as the generally cheaper J2ME ones are. J2ME (Java 2 Micro Edition) is a platform for mobile devices that allows running applications programmed in Java. Thus, the new version of this trojan, which Kaspersky identifies as Trojan-SMS.J2ME.GameSat.a, masquerades as a mobile application for chatting and dating.

Once executed, the trojan displays the same behavior as its Python brother and sends an SMS to 151, transferring 5000 rupiah (around $0.45) to the cybercriminal's phone number. There is yet no information as to whether this new malware is the work of the same attackers who created the Python version, or if its a spin-off of the same concept authored by other VXers.

“So that’s 6 new pieces of mobile malware in the space of just over two weeks, a move from Symbian to J2ME, and a clear financial motive behind the attacks. We await developments...,” notes Denis Maslennikov, malware analyst at Kaspersky Labs.

After the previous Python-based threat was announced, reports allegedly quoting Kaspersky representatives started flowing in from Australia. According to these reports it only takes one phone call from an infected device for the trojan to make the jump to the land down under. These reports proved nothing more than media hype and were dismissed by Kaspersky, which, according to The Register, denied ever making such claims.

Just to avoid any possible misunderstandings, these trojans can only infect a mobile phone if the user agrees to install the unsigned applications and of course if a Python interpreter, or a Java one respectively, is present on the device.