Threat Descriptions

Trojan:Java/Redbrowser.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Java

Aliases :

Trojan:Java/Redbrowser.A, Trojan-SMS.J2ME.RedBrowser.a

Summary

Redbrowser.A is J2ME based Java Midlet that sends SMS messages to specific number. The Redbrowser pretends to be a WAP browser that offers free WAP browsing using free SMS messages to send the WAP page contents, but what it actually does is to send SMS messages to one specific number, which may cause financial losses to the user.

Removal

F-Secure Mobile Anti-Virus is capable of detecting and deleting the Redbrowser.A trojan. It is also possible to remove the Redbrowser.A trojan by uninstalling it with the Symbian application manager.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Redbrowser claims to send free SMS messages to fool the user into allowing the application permission to use Java SMS capabilities in phones that require permission from the user before sending SMS messages. This claim of free service is a form of social engineering. The social engineering texts used in Redbrowser.A are in Russian, which limits the trojan only to Russian speaking countries.

Propagation (SMS)

Redbrowser.A contains a fixed phone number to which it will send SMS messages. After Redbrowser.A has shown the social engineering texts it will send a SMS message to that number.

The message sending function of Redbrowser.A is in an infinite loop, so unless terminated by the user it will send a constant stream of messages. Each of those message will be charged to the user's account.First Redbrowser.A tells the user that its web browser uses SMS messages instead of a GPRS connection.

In the next step it asks the user to select an operator (service provider) to be used for browsing.

After that the user has options to either pass or exit. (See below.)

If the user choose the pass option then Redbrowser.A will start a continuous flood of SMS messages. Each message requires the users approval.