A Window Mobile PocketPC trojan that disables Windows Mobile application installation security has been discovered in China. The trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning.
WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware.
The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.
WinCE/InfoJack was created by a specific website. The website may have hired someone to create the trojan and distribute it to other sites. The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site. That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstallation method.
WinCE/InfoJack has a number of features that show its malicious intent:
The trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.
WinCE/InfoJack was created by a specific website. The website may have hired someone to create the trojan and distribute it to other sites. The maintainer of the website claims that the software was just necessary to collect information on the types of mobiles used to access their site. That would be easier to believe if they had notified the user prior to installation or if they had provided some sort of uninstallation method.
WinCE/InfoJack has a number of features that show its malicious intent:
- installing as an autorun program on the memory card
- installing itself to the phone when an infected memory card is inserted
- protecting itself from deletion, copying itself back to disk
- replaces the browser’s home page
- allows unsigned applications to install without warning
That last feature, allowing silent installation of an unsigned app, is used by WinCE/InfoJack to auto update itself. It also leaves the mobile open to other malware being installed silently.
Fortunately the trojan’s website is no longer reachable, due in part to an investigation by local law enforcement.