The trojan is primarily targeted to handheld devices in China, said Dave Marcus, security research and communications manager for McAfee Avert Labs, speaking with SCMagazineUS.com on Thursday.
Windows Mobile devices become infected with the trojan after a user visits one of several websites in China, Marcus said. The malware author has bundled the trojan inside what appears to be a legitimate package of games or Google Maps so the victims are unaware that their device is compromised.
According to a blog post by Vanja Svajcer of Sophos' U.K. labs, the trojan, called winCE//infojack, is packaged together with several legitimate mini-games, including Mahjongg and a version of Tetris. The trojan is teamed "with just enough social engineering to entice an unsuspecting user into installing the package" on the mobile device, Svajcer wrote in a blog post.
Once downloaded, the trojan lowers the security settings on the device so it "does not complain about the fact that programs are not signed,” Svajcer wrote in the blog. “This is done through a simple registry write, just like on any desktop version of Windows."
The trojan also includes self-replication capabilities that can infect memory cards connected to the device, researchers said. This ensures that the infection is executed every time the card is plugged in.
Once installed on the mobile device, the trojan can steal confidential information -- such as username, password and financial data -- from the phone and send it back to the malware's author, Marcus said. While the trojan is currently limited primarily to Chinese users, Marcus said it could extend beyond that country.
A Microsoft spokesman told SCMagazineUS.com that the company was aware of the threat.
"Microsoft is aware of public reports of malware that could be loaded surreptitiously by an application on a Windows Mobile device. The malware does not exploit any security vulnerability, but rather relies on user interaction in which the user would need to download and accept installation of an unsigned application," he said.
Marcus said trojans written for mobile devices remain rare.
“There isn't a lot of money to be made for malicious software writers on mobile devices," Marcus said. "Most of the malware industry is driven by making money in one form or another -- whether it's stealing information that's for sale or providing services, such as web hosting for other hackers, or sending spam."
That will change when users begin using the devices more for financial transactions, Marcus said. He expects that to occur over the next 12 to 18 months.
"Until the majority of people start using their handhelds for banking or for purchasing, there's no financial need to write malware for mobile devices,” he said.
Experts urged users to install and regularly update anti-malware security software on their handheld devices, just as they protect their personal computers.
“There's been less adoption of security software for mobile devices," Marcus said. “But we've seen more adoption of mobile security software in other parts of world."