First-of-Kind Viruses Target Mobile Users

Two new Trojan horses are being billed as "first-of-their-kind" bugs.

Security alerts are warning of a "crossover" virus that leaps from one device to another; in addition, a new Java Trojan has been detected that could infect almost any cell phone.

Crossing Over

The Mobile Malware Researchers Association (MMRA), a non-profit organization of professional researchers, on Monday announced that it has discovered the first virus that can be transferred from a PC to a mobile device -- and delete files.

The researchers received an anonymous alert about the malware, which it has dubbed "crossover" for its ability to cross-infect a Windows Mobile Pocket PC handheld from a desktop computer running the Windows operating system.

Crossover is the first malware that is able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC, according to the MMRA.

Proving Vulnerabilities

Crossover makes a copy of itself and puts a startup command to the copy in the registry. Next, it waits for an ActiveSync connection, which synchronizes the data between a PC and a mobile device.

The virus repeatedly copies itself into the registry each time a PC is rebooted. Analysts said this could slow down the PC's performance or freeze up the computer. On the flip side, the virus copies itself to a pocket PC running the Windows CE or the Windows Mobile operating system and erases the files in the My Documents directory.

The good news is this is only a proof-of-concept virus. That means it sets out to demonstrate how easily malware could spread from one device to another. Users have no reason to panic, some analysts are saying.

"If someone starts capitalizing on the crossover worm, and we start to see increased activity, then we can talk about a global threat," Ken Dunham, senior engineer at threat intelligence firm iDefense, a VeriSign company based in Reston, Va., told TechNewsWorld. "It's a little premature at this time."

More Mobile Phone Trojans

Meanwhile, several antivirus companies are reporting yet another Trojan this week, called RedBrowser.a. Security researchers said it is the first malicious program to infect not only smartphones, but any mobile phone capable of running Java applications.

The Trojan spreads in the guise of a program called RedBrowser, which allegedly enables the user to visit WAP sites without using a WAP connection.

According to the Trojan's author, this is made possible by sending and receiving free SMS messages. In reality, the Trojan sends SMSes to premium rate numbers. The user is charged US$5 to $6 per SMS.

"This is a social engineering worm written in Russian," Dunham said. "It is interesting when you look at it. This is a Java-based type of threat and it has been proven to be successful. We need to look at this and see what is going to be the threat down the road."

Seeing Red

The Trojan is a Java application, a JAR format archive. The file may be called "redbrowser.jar," and is 54482 bytes in size. The Trojan can be downloaded to the victim's handset either via the Internet (from a WAP site) or via Bluetooth or a personal computer.

"This latest virus represents a natural progression for virus writers, who are constantly seeking to extend their reach by spreading infections via as many platforms as possible," said David Emm, a senior technology consultant at Kaspersky Lab. "One thing's for sure -- RedBrowser may be the first of its kind, but it certainly won't be the last."

Once again, there is good news: the Trojan can be easily removed from the victim's handset using standard utilities already installed on the telephone. Still, Kaspersky Lab recommends that mobile phone users exercise caution and do not download or launch unknown programs via the Internet.