Alias/es

Detection Availability

Visible Symptoms

• None - this malware is installed to a mobile device intentionally by an unsuspecting user with the intent of using it as a "WAP browser"

Detailed Analysis

Technical Details

Initially, this threat is a proof of concept virus designed for J2ME platform systems. It uses Java and Wireless Messaging API (WMA) code (javax.wireless.messaging.sms.send) in order to perform its actions. With WMA, you can send brief text or binary messages by means of a wireless connection to one or to multiple mobile devices. The WMA supports Short Message Service (SMS) and Cell Broadcast Service (CBS) messaging. Sun Microsystems distributes freely a J2ME Wireless Toolkit that supports WMA. Many cell phones run Mobile Java, or Mobile-J and they are also Symbian based.

This malware does not have any distribution mechanism other than to send an SMS message to a specific phone number.

The initial version pretends to be a WAP browser and displays text in Russian. Since then, there have been several other minor variants, pretending to provide geographic location services or card generators. Those trojans have a different aspect from the initial WAP browser, but behind the scenes, the function sending the SMS is the same.

Recommended Action

FortiGate systems:


• check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option
  
  
  FortiClient systems:
  
  
• Quarantine/Delete infected files detected