Windows Mobile trojan sends unauthorized information and leaves device vulnerable
Tuesday February 26, 2008 at 1:13 am CST
Posted by Jimmy Shah
A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China.
WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.
The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.
WinCE/InfoJack was created by a specific website. The website may have hired someone to create the trojan and distribute it to other sites. The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site. That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstallation method.
WinCE/InfoJack has a number of features that show its malicious intent:
- installing as an autorun program on the memory card
- installing itself to the phone when an infected memory card is inserted
- protecting itself from deletion, copying itself back to disk
- replaces the browser’s home page
- allows unsigned applications to install without warning
That last feature, allowing silent installation of an unsigned app, is used by WinCE/InfoJack to auto update itself. It also leaves the mobile open to other malware being installed silently. Fortunately the trojan’s website is no longer reachable, due in part to an investigation by local law enforcement.
February 26th, 2008 at 4:37 am
Why do you classify it as a Trojan?? According to the above description, if run on the device, it installs itself on the memory card. If a memory card containing it is inserted into a clean device, it runs automatically from the card and installs itself on the device.
Sounds like a full-blown virus to me.
February 26th, 2008 at 2:20 pm
and I was just reading the other day not to worry about installing ppc antivirus due to nothing really warranting heavy software installations
February 26th, 2008 at 4:28 pm
Wow, the sound is so dangerous,
its time for Palm Inc. To develop new OS, Palm OS Cobalt is safer than WM.
Regards,
-rosgani-
February 26th, 2008 at 9:19 pm
Does the trojan works on symbian S60 3rd edition?
February 27th, 2008 at 2:45 am
Dr. Bontchev…
It is a virus! But it hides inside and behind other install files. If I have my lexicon straight, a virus moves by human transmittal. A worm moves by automatic transmittal. A trojan pretends to be something it isn’t.
Ultimately, it’s malware, so the issue is a sidebar at best…
February 27th, 2008 at 7:56 am
Oh Great!!! … and having hear the good news I don’t hear anything about what we can do about it. Can we know what applications it was installed in? Can we know how it can be removed… ie scrape and reinstall? Can we actually get al itlle real information about this problem???
February 27th, 2008 at 9:42 am
Check Blackberry’s track-record dude when it comes to things like these!
February 27th, 2008 at 5:22 pm
So, are we saying here that customers who downloaded Google Maps from Google have this malware?
Or that someone repackaged Google Maps, added their malware, and redistributed it?
February 27th, 2008 at 9:50 pm
The thing that most upsets me is that McAfee didn’t find it right to publish the URL of the website that is spreading the virus.
We have the right to know that both for not going there and also for warning our readers not to visit this site anymore.
February 28th, 2008 at 3:09 am
Where can I get the Trojan?
February 28th, 2008 at 3:11 am
I am a Chinese.I can’t find it in Chinese website.Where do you find it?Maybe it’s the InfoStealer.A two months ago,isn’t it?
February 28th, 2008 at 4:54 am
Looking at the screen shot - the date of the autorun file is the 25th may 2006! Nearly 2 years ago, have McAfee known about this for that long and have only now decided to publicise it Our mobile antivirus software sales are flagging, lets drum up some publicity by saying theres a trojan about?
February 28th, 2008 at 9:46 am
Does the McAfee PDA AV product stop this thing? Or does it just find it and tell you you are hosed?
February 28th, 2008 at 10:59 am
Sounds like a fake to me.
It is such a difficult platform to exploit in terms of connectivity.
Pocket pcs are not as PCs always connected. It is not worth to consume that much precious space and memory, which can be easily spotted since the pda would be useless.
March 15th, 2008 at 6:53 am
in response to OSB,
You are joking right? Almost all new PDA phones are made with Windows CE in them. They are always connected to the Internet. Yes, it may be time to have Anti-Virus software on your PDA as stupid as it sounds.
March 24th, 2008 at 12:16 am
Truly truly i wrote today, we are in the process to errors and problems shifting paradigms. We are unable to combat desktops, viruses, worms, and Trojans, these epidemics are finding there ways to all the new technological innovations.
Solutions maybe the creations of protective shields by the OS and browsers producers, centralised active roles by all the mobiles telecommunications providers and centralised mobile users awareness.
We have to find solutions to many problems because the era of embedded systems utilisation is here and growing in magitudes.