Threat behavior
Trojan:Java/Zitmo.A is a trojan that affects mobile devices running the RIM operating system. It can change certain settings on the device.
Installation
When successfully installed, Trojan:Java/Zitmo.A sends an SMS to a certain number in the United Kingdom (ending with the numbers "1821") to notify that it has been installed in the affected mobile device.
Payload
Modifies device settings
Trojan:Java/Zitmo.A maintains a record of the following settings, which it can toggle on or off:
- Call forwarding - number that calls are forwarded to
- Call blocking - numbers that are blocked
Performs certain actions
Trojan:Java/Zitmo.A waits for incoming SMS messages from the same number based in the United Kingdom ending with the numbers "1821". When it receives a message, it parses the message for the following strings, and performs the indicated commands accordingly:
- Add sender - adds a number in the call forward list or blocked list
- Set sender - sets a number in the call forward list or blocked list
- Rem sender - removes a number in the call forward list or blocked list
- Block - adds a number in the blocked list
If there is an additional parameter 'all' in the command, it sets all numbers on the call forwarding or blocking list
Trojan:Java/Zitmo.A also monitors outgoing and incoming calls, which can be rejected based on a phone entry list via a simulated key event or trackwheel event. Outgoing calls are rejected via key event only. Incoming calls are rejected via key event or trackwheel event.
Analysis by Marianne Mallen
Prevention
