NEWS FROM THE LAB - Monday, April 23, 2012

Trojan:Java/SmsSy.A Targeting Devices with Java Midlet Installed Posted by ThreatSolutions @ 03:40 GMT

An SMS-sending Trojan, which targets mobile devices with Java midlet installed, has been circulating in Malaysia. Some victims reported that they have been receiving an SMS message which appears to be an update from Samsung.

trojan, Samsung update
A message that appears as an update from Samsung

But upon clicking the link, they are redirected to another link (http://mmgbu[...].com:90/[...].jar) that leads to a JAR file. This JAR file carries out the details for the malware to send SMS messages to multiple short numbers.

Upon execution, the trojan sends three SMS messages (most likely to premium numbers) without the user's consent. The contents and recipient numbers are as follows:

  •  "On GB" to 39914
  •  "On DF" to 39914
  •  "On HB" to 33499

Then, it will show a title of "HOT WEB DL" and images of ladies which are grouped into five selections: DANCE CLUB, BEACH GIRLS, FUNNY VIDEO, GT MODEL, and HOT CAM. Once the option is selected, it sends out SMS messages containing the string "On (content)" to (number), where the contents could be:

  •  HB
  •  MODEL
  •  LY
  •  AV
  •  GA

These messages are later sent out to the following numbers:

  •  33499
  •  33499
  •  36660
  •  36660
  •  36989

SmsSy manifest
A file containing the details on message contents and recipient numbers

SmsSy women
Images used by SmsSy.A

An analysis of another sample of the same trojan revealed that this one was assigned with a different set of contents and recipient numbers:

SmsSy manifest 2
Another sample of SmsSy.A was assigned with different set of contents and numbers

A different set of images used by SmsSy.A

We have properly rated the offending URL, and published the detection as Trojan:Java/SmsSy.A.

Sha1: 75a91ac99cb5bc2a755d452393d29fa66a323c3f
Sha1: bca72058af2a7ddb9577ecb9a61394a31aea5767

Threat Solutions post by — Jordan and Raulf