Trojan:Java/SmsSy.A targeting devices with Java midlet installed

An SMS-sending Trojan, which targets mobile devices with Java midlet installed, has been circulating in Malaysia. Some victims reported that they have been receiving an SMS message which appears to be an update from Samsung.

A message that appears as an update from Samsung

But upon clicking the link, they are redirected to another link (http://mmgbu[…].com:90/[…].jar) that leads to a JAR file. This JAR file carries out the details for the malware to send SMS messages to multiple short numbers.

Upon execution, the Trojan would send three SMS messages (most likely to premium numbers) without the users’ consent. The contents and recipient numbers are as follow:
– “On GB” to 39914
– “On DF” to 39914
– “On HB” to 33499

Then, it will show a title of “HOT WEB DL” and images of ladies which are grouped into five selections: DANCE CLUB, BEACH GIRLS, FUNNY VIDEO, GT MODEL, and HOT CAM. Once the option is selected, it would send out SMS messages containing the string “On (content)” to (number), where the contents could be:
– HB
– MODEL
– LY
– AV
– GA

These messages are later sent out to the following numbers:
– 33499
– 33499
– 36660
– 36660
– 36989

A file containing the details on message contents and recipient numbers

Images used by SmsSy.A

An analysis of another sample of the same Trojan revealed that this one was assigned with a different set of contents and recipient numbers:

Another sample of SmsSy.A was assigned with different set of contents and numbers

A different set of images used by SmsSy.A

We have properly rated the offending URL, and published the detection as Trojan:Java/SmsSy.A.

Sha-1: 75a91ac99cb5bc2a755d452393d29fa66a323c3f
Sha-1: bca72058af2a7ddb9577ecb9a61394a31aea5767

Blog post by – Jordan and Raulf

On 23/04/12 At 03:40 AM

Read more: Trojan:Java/SmsSy.A targeting devices with Java midlet installed