Attacks/Breaches
12/19/2012
11:07 AM
Connect Directly
RSS
E-Mail
50%
50%

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

From an attacker's perspective, malware doesn't need to be elegant or sophisticated; it just needs to work.

That's the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games--such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City--for free.

[ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members' Personal Information. ]

Despite the apparent holiday spirit behind the messages, however, it's just a scam. "If you do download this 'spamvertised' application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware's author," according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones "to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server," said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. "Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell," said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware's creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: "You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!"

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than "fakeware" distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions -- such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, "not many people read the fine print when installing Android applications," said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator's botnet. At that point, the malware immediately "phones home" to a command-and-control server via HTTP to receive further instructions. "Typically a message and a list of 50 numbers are returned," said Conway. "The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers."

Again, the Android malware used to build the accompanying SMS-spewing botnet isn't sophisticated, but it does appear to be earning its creator money. "Compared with PC botnets this was an unsophisticated attack," said Conway. "However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down."

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it's a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tibor Klampar
50%
50%
Tibor Klampar,
User Rank: Apprentice
12/20/2012 | 3:03:09 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
Android.. Dream come true for malware developers..
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
12/20/2012 | 12:36:36 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
EXTREME MicroKlunk Redmond FUD!

99.9% of all Android users do not use 3rd party download sites.
They use Google Play which is 100% safe from malware.

No matter how much Mafiasoft FUD is spewed, NO one is going to be stupid
enough to buy a WIndoZe 8 Virus Trap phone that reboots 25 times a day
and freezes up constantly.

kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
12/19/2012 | 8:15:15 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
These types of scams are fairly rudimentary, but worrisome: when these attacks become more convincing and sophisticated, the Android platform could provide the bad guys massive numbers of prospective bots.

Kelly Jackson Higgins, Senior Editor, Dark Reading
ukjb
50%
50%
ukjb,
User Rank: Apprentice
12/19/2012 | 8:01:42 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
FUD
Stick to Google Play and you will be fine.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.