Mobile Trojan distributes pirate anti-virus software

Mobile phone malware is often disguised as a security application in order to dupe the user into installing it. However, the latest version of Doomboot, which attacks the Symbian platform, is the first to contain a fully working copy of an anti-virus application, according to Jarno Niemela, a virus researcher at anti-virus firm F-Secure.

"We have seen Symbian Trojans that pretend to be an anti-virus applications... but I believe that Doomboot.G is the first that actually contains a fully working pirate copy," said Niemela on the F-Secure blog.

Niemela explains that as well as installing ExoVirusStop, Doomboot.G also creates some fake directories and files that are associated with another mobile phone virus called Lasco.A. Once the anti-virus application is executed, Niemela said it will detect traces of Lasco.A and attempt to clean it up before rebooting the phone, which could result in victims losing all their data.

"The user installs the ExoVirusStop.. then scans his phone and gets a report about Lasco.A, and a request to reboot his phone. If the phone is booted while the Doomboot files are still in the system, the phone cannot start up again. The phone can be reformatted with special key code, which of course will erase all data," said Niemela.

According to Niemela, mobile phone users that have an original copy of ExoVirusStop (or F-Secure's own mobile phone anti-virus software) will not be affected by Doomboot.G.

Last month, Nokia partnered with Symantec to help secure its Symbian-based mobile phones from malware. Under the agreement, Nokia plans to arm its Series 60 smart phones with the Symantec Mobile Security anti-virus program.

Security experts have said they expect to see a 'serious' mobile phone virus by the end of 2008.