Analysis by: Erika Bianca Mendoza
 PLATFORM:

Windows Mobile, Symbian OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

This malware uses social engineering methods to lure users into performing certain actions that may, directly or indirectly, cause malicious routines to be performed. Specifically, it disguises as a mobile web browser Opera Mini. Once the user agreed with the services of the fake browser, it sends SMS messages to premium numbers.

To get a one-glance comprehensive view of the behavior of this Trojan, refer to the Threat Diagram shown below.

This application disguises itself as the mobile web browser, Opera Mini.

While running, it checks if the mobile phone uses any of the specific service centers.

If it uses any of these, it proceeds to sending SMS to a number encoded in data.res.

It sends the message “424626 357 OX” to specific premium numbers via SMS.

This Trojan may be unknowingly downloaded by a user while visiting malicious websites. It may be manually installed by a user.

It bears the file icons of certain applications to avoid easy detection and consequent removal.

  TECHNICAL DETAILS

File Size: 20,480 bytes
Memory Resident: No
Initial Samples Received Date: 28 Sep 2011
Payload: Sends text messages

Arrival Details

This Trojan may be unknowingly downloaded by a user while visiting malicious websites.

It may be manually installed by a user.

Installation

This Trojan bears the file icons of the following applications:

  • Opera Mini

NOTES:

This application disguises itself as the mobile web browser, Opera Mini.

While running, it checks if the mobile phone uses any of the following service centers:

  • +79202909090
  • +79206909090
  • +79219909090
  • +79222909090
  • +79232909090
  • +79242000690
  • +79262909090
  • +79272909090
  • +79282000002
  • +79289900028
  • +89282000002
  • +78129600096
  • +89282000002
  • +78129600096

If it uses one of the above, it proceeds to sending SMS to a number encoded in data.res.

It sends the message “424626 357 OX” to the following premium numbers via SMS:

  • 9797
  • 8503
  • 7202
  • 7201

It affects the following mobile devices that support MIDlets:

  • Nokia
  • Sony Ericsson
  • Samsung
  • Motorola
  • Siemens

  SOLUTION

Minimum Scan Engine: 9.200
VSAPI OPR PATTERN File: 8.465.00
VSAPI OPR PATTERN Date: 01 Oct 2011

Step 1

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

Step 2

Scan your computer with your Trend Micro product to delete files detected as J2ME_FAKEBROWS.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 3

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.


Did this description help? Tell us how we did.