JAVA Mobile Malware #1

Hi guys,

today I will focus on a JAVA mobile malware (md5 is: 7e92d280472ca426aff1c20fbeb8d2db).

It is spread as jar, containing a class with an attractive name. The jar contains three files:

  • a java class (the malware engine);
  • an icon image (it is used in order to be attractive..);
  • an inf file (it is used to extract sms information).

The following is the class code after the usage of jd. I report only relevant parts:


This method is used to read the inf file in order to fill smsnumber and smstext fields. It uses the first byte of the inf file to know how many sms should be sent.


This method is used to read user-defined strings from the inf file.


This method is used to send the crafted sms.

Focus on inf:

As we can see, the malware uses the inf file to extract information such as: sms number and text. Let’s take a look at this file to understand its format:

Question: have you noticed anything wrong in this format ? Before proceeding, please focus on inf format and the three methods reported above.

Answer: It seems that we have a programming bug or a bad-edited inf file. In fact, the malware will try to send 0x10 (16) sms by using this inf, but it has information only for 8 sms. Maybe this is a mistake of the malware author, or someone else has wrongly edited this file.

I hope you have enjoyed this article… see you soon ;]


3 Responses to “JAVA Mobile Malware #1”

  1. 1 Irfan January 28, 2010 at 2:09 pm

    Hi Ratsoul,

    Really nice writeup, could I get a copy of the threat please.


    • 2 Donato "ratsoul" Ferrante January 28, 2010 at 3:28 pm

      Hi Irfan,
      thank you for the comment. Please drop me an e-mail with more information.

Comments are currently closed.


%d bloggers like this: