Java/Phonox.A!tr

Release DateJan 26, 2010
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.578
Description

Visible Symptoms

  • The malware tries to send and receive data via Internet.
  • The malware tries to send SMS messages

Detailed Analysis

This malicious Java midlet contacts a remote malicious web server to get an up-to-date short number and text to send via SMS. It is able to run on any mobile phone which supports Java.
The malware is often packaged under names such as bigfone.jar, bigfone2.jar or telebaza.jar. It typically claims to be a Russian application to find the subscriber network for a given phone number.



Technical Details


The malicious midlet consists of a JAR (Java archive) containing compiled (malicious) classes. In particular, the Main class:
  • opens a record store named MQ_RSO.37
  • pretends to contact a phone number database to retrieve information concerning the phone numbers the end-user has provided. Instead, the malware opens a PHP session with a remote server, and gets from that server a short phone number (e.g 3649) and a text (e.g neofank 600).
  • sends multiple SMS to that phone number while pretending to connect to a server, getting authorization and processing data.
The malware requires user's consent to connect to Internet and send SMS messages.
Fig.1 Main Menu of Java/Phonox.A!tr, in Russian Fig.2 Malware requesting permission to connect to Internet

Description Last Updated Date: Jan 27, 2010
Reference: ID - 1498934