Alerts went out Tuesday from several security companies warning users of an in-the-wild Trojan horse able to infect nearly any cell phone. The Trojan, named Redbrowser.a by McAfee, F-Secure, and the discovering vendor Kaspersky Labs, can attack any device – smart phone, PDA, or cell phone – that runs Java 2 Micro Edition, Sun Microsystem’s version for consumer electronics devices.
The Kaspersky guy says that this virus can get to any J2ME phone and that might be true, but it looks like the “trojan” uses the capability to send sms messages directly from the j2me environment, and that’s only possible on phones that uses the MIDP2 J2ME platform. So the trojan seems to be harmless on older phones based on MIDP1
Here is the description of the “trojan”:
http://vil.nai.com/vil/content/v_138726.htm
First how do you install it?
a) someone *pays* to send you a push SMS
b) you type a painfully long URL
c) you download it an copy it manually over bluetooth or infrared
Then once you launch the app the phone WILL ask for permission to send an SMS. There is just a text before that supposedly that tells you not to worry about it. If you believe it and select YES then it can send an SMS that will cost you money.
As the page says now, it’s purely a proof of concept. If anyone were distributing such an app and fooling the user into sending paid SMS their account (for SMS+ payments) would be terminated immediately by the providers.
I know of absolutely no J2ME application that can send SMS without the user being asked about it. Even if the user wants the application to never ask about this he cannot chose it. Only a signed a application will allow you to even select this option. And signing a J2ME app is a real pain, to say the least.