This blog was written by research engineer Dinesh Venkatesan.
In the past, when dial up connections were commonly used, we have seen Trojan Dialers on an infected computer calling out to premium numbers through dial up modems. This resulted in the unsuspecting user of the infected machine getting heavy telephone bills and this attack vector was widespread and effective.
With the advent of newer connectivity technologies such as Broadband, this attack vector lost its prominence. However newer technologies also brought along mobile phones which perhaps are one of the most widely used electronic devices of the modern times. Malware authors adapting to this change were quick to target the mobile devices.
In our malware analysis lab we have been observing an increasing trend of Trojan Dialers that targets mobile devices and this advisory blog is a quick analysis of one such malware that uses the J2ME technology (a default standard for CLDC devices) to send SMS messages to high cost numbers. Similar to its ancestors, most of them are related to pornographic message centers.
When the application which is a JAD file, is loaded on the mobile device, a typical user interface screen is displayed as shown in the [Figure 1]
[Figure 1] The normal user interface while loading a JAD application
The JAD application however is packaged with a data file (load.bin) that has a list of high-cost destination numbers. The malicious application uses this bin file to form the text messages with the desired premium destination as shown in the following [Figure 2].
[Figure 2] Code snippet showing load.bin being loaded
As soon as the application is loaded, this malicious software starts to send premium text messages and the following screen capture [Figure 3] shows text messages being sent out from the mobile device. Please note the premium numbers are obscured for safety.
[Figure 3] A snapshot of the outgoing messages to high-cost message centers
One can easily observe from [Figure 3 and Figure 4] that the messages sent out are in the typical format to invoke premium services and land the mobile user with heavy mobile bills without the user’s knowledge and consent.
[Figure 4] A typical mobile text message format that invokes mobile services similar to the one sent by this malware
Our CA Security product has the detection for this family under the detection name of Trojan “Java/Swapi.B”. Kindly exercise caution while downloading mobile applications from the Internet and refrain from using any that come from a non-trusted source.
As always we recommend that you keep your CA products up-to-date with the latest signatures for your protection.
Related blog entries