Smart-Phone Trojan Poses as Anti-Virus App

A new mutant of the "Skulls" cell-phone Trojan has been found masquerading as a mobile security application.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Finnish anti-virus vendor F-Secure Corp. has issued a warning for a new strain of the "Skulls" Trojan sneaking into Symbian-based smart phones by posing as a mobile security application.

The latest mutant, identified as Skulls.L, pretends to be a pirated copy of the F-Secure Mobile Anti-Virus application, a sign that virus writers targeting cell-phone users are borrowing well-known replication tactics from computer viruses.

According to an advisory from F-Secure, Skulls.L provides a new twist on previous versions by masquerading as a mobile protection installation package. The Trojan, which arrives as a SIS file, also displays dialog text that reads: "F-Secure Antivirus protect you against the virus. And dont forget to update this!"

F-Secure virus tracker Jarno Niemela said customers should download anti-virus files only from F-Secure servers or from the domain, which will redirect users to a secure server.

He warned that Skulls.L is capable of corrupting system applications on Symbian-powered devices to disable all smart-phone functionality once the phone is infected.

Like its predecessors, Skulls.L replaces the system applications with nonfunctional versions, and deposits two versions of the Cabir worm. The Trojan also disables third-party applications that could be used to disinfect the device.

Cabir, originally detected last June, uses the Bluetooth wireless peer protocol to propagate, copying itself to other Bluetooth devices as far as 30 feet away, depending on the environment.

According to Niemela, the two Cabir variants dropped by the Trojan do not activate automatically, and will not activate on reboot. He said the worms will activate only if the infected user goes to the icon of the dropped Cabir file and runs it from there.

The Skulls Trojan also replaces the application icons with images of a skull and crossbones.

If a phone gets infected, Niemela said only the calling and answering features will work. "All functions which need some system application, such as SMS and MMS messaging, Web browsing and camera, no longer function," he warned.

F-Secure has published disinfection instructions and recommends that smart-phone users use anti-virus applications for protection.

In addition to F-Secure, Symantec Corp., Trend Micro Inc. and McAfee Inc. also hawk cell-phone anti-virus software.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.