by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research

It had been a while since we'd last seen a malware transferring credits to pre-paid phone cards. Our last encounter dated back to SymbOS/Flocker!tr.python early January 2009. It is happening again, with Java/GameSat.A!tr, a Java ME midlet which is currently in the wild.

Indosat, an Indonesian telecom operator, offers IM3 (Indosat Multimedia 3) customers the ability to transfer (small) funds between two accounts. This is known as 'pulse transfer' or 'M3-Transfer' and it works by ... SMS, without PIN nor registration ! The money is transferred from one IM3 account to another IM3 account (a transfer fee is charged to the sender).

This sounds quite handy, but... absolutely anything but secure, so it comes as no surprise cyber-delinquents make use of it.

In Flocker, from 5000 to 10000 Indonesian rupees (0.45 - 0.90 USD) were transferred to IM3 accounts controlled by the malware author.

Now, Java/GameSat.A!tr typically gets onto your mobile phone as a 'modification to Opera Mini'. Of course, it does not modify Opera Mini at all. Instead, it uses IM3 fund transfer to access non-free on-line divination, chat or dating services. The end-user gets charged up to 20000 Rp (1.8 USD) - not mentioning the transfer fee - each time he/she opens the application or tries to access the non-free services.

Figure 1. The malware advertises as a modification to Opera Mini Figure 1. The malware advertises as a modification to Opera Mini

malwaresms Figure 2. Malware tries to send an SMS

I could make up my own divination service on that matter, and tell end-users they are probably about to lose roughly two dollars, get plenty of SMS spam and absolutely no advice or dates whatsoever.

-- The Crypto Girl

by RSS Axelle Apvrille  |  Jan 26, 2010  |  Filed in: Security Research