An SMS-sending Trojan, which targets mobile devices with Java midlet installed, has been circulating in Malaysia. Some victims reported that they have been receiving an SMS message which appears to be an update from Samsung.
A message that appears as an update from Samsung
But upon clicking the link, they are redirected to another link (http://mmgbu[...].com:90/[...].jar) that leads to a JAR file. This JAR file carries out the details for the malware to send SMS messages to multiple short numbers.
Upon execution, the trojan sends three SMS messages (most likely to premium numbers) without the user's consent. The contents and recipient numbers are as follows:
• "On GB" to 39914 • "On DF" to 39914 • "On HB" to 33499
Then, it will show a title of "HOT WEB DL" and images of ladies which are grouped into five selections: DANCE CLUB, BEACH GIRLS, FUNNY VIDEO, GT MODEL, and HOT CAM. Once the option is selected, it sends out SMS messages containing the string "On (content)" to (number), where the contents could be:
• HB • MODEL • LY • AV • GA
These messages are later sent out to the following numbers:
• 33499 • 33499 • 36660 • 36660 • 36989
A file containing the details on message contents and recipient numbers
Images used by SmsSy.A
An analysis of another sample of the same trojan revealed that this one was assigned with a different set of contents and recipient numbers:
Another sample of SmsSy.A was assigned with different set of contents and numbers
A different set of images used by SmsSy.A
We have properly rated the offending URL, and published the detection as Trojan:Java/SmsSy.A.
