Making its way back in the wild is a WinCE malware that infects Windows mobile phones. Detected by Trend Micro as WINCE_CRYPTIC.A, this new variant uses the same old routines that made WinCE malware notorious before.
Advanced Threats Researcher Jamz Yaneza says it works as a typical companion virus because it stores the infection code in another file. Typical viruses infect files themselves but WINCE_CRYPTIC.A does not. Instead, it creates “companion” files using the same file names as the infected mobile phone’s storage card. These companion files contain the infection code, and when users run the storage card, the malicious files run first.
So in essence it does not infect files themselves, and changes are made from the polymorphic engine of the malware. Yaneza adds that the file could actually be considered a Trojan with some polymorphic functionality. Companion viruses do this to avoid detection. Users are tricked into thinking they are still running a legitimate application when in fact they are already executing the malware.
Users however, will notice changes in their infected mobile phones as WINCE_CRYPTIC.A changes the text and background colors of the affected device. Here are some screenshots:
WinCe malware changes a mobile phone’s display colors.
The malware may be distributed through memory cards. It may also be hosted on malicious websites and may arrive in mobile phones through downloads. Yaneza believes that document-sharing via infrared or Bluetooth could also be a possible avenue for infection, as remote malicious users could easily pass on documents when these said devices are left on.
With more users using mobile devices that are Web-enabled, malware authors are also quick to adapt. From spam to ransomware, cybercriminals are exploiting mobile phone usage as a new avenue for profit. Interestingly, this malicious software deviates from the usual scheming operations that use Symbian malware to extort money from affected users for example. Symbian malware are notorious for locking phones and then asking users for money so affected phones could be fixed.
WinCE malware in the past did not have this routine. Our researchers believe that creators of this new WinCE malware are testing the waters for a bigger threat on mobile devices.
The following mobile phone models may be affected by WINCE_CRYPTIC.A:
- Windows Mobile 5.0 Smartphone
- Windows Mobile 5.0 PocketPC/PocketPC Phone Edition
- Windows Mobile 6.0/6.1 Classic
- Windows Mobile 6.0/6.1 Standard
- Windows Mobile 6.0/6.1 Professional
The Trend Micro Smart Protection Network already detects WINCE_CRYPTIC.A and provides solutions for its cleanup and removal. Trend Micro meanwhile advises users to not download phone applications from unknown locations on the Web. WINCE_CRYPTIC.A itself does not run on PCs but files may be downloaded from there to mobile phones. Beamed applications and documents should also be handled with caution. The US National Institute of Standards and Technology also provides guidelines on mobile phone security.