Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

From an attacker's perspective, malware doesn't need to be elegant or sophisticated; it just needs to work.

That's the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games--such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City--for free.

[ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members' Personal Information. ]

Despite the apparent holiday spirit behind the messages, however, it's just a scam. "If you do download this 'spamvertised' application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware's author," according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones "to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server," said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. "Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell," said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware's creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: "You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!"

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than "fakeware" distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions -- such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, "not many people read the fine print when installing Android applications," said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator's botnet. At that point, the malware immediately "phones home" to a command-and-control server via HTTP to receive further instructions. "Typically a message and a list of 50 numbers are returned," said Conway. "The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers."

Again, the Android malware used to build the accompanying SMS-spewing botnet isn't sophisticated, but it does appear to be earning its creator money. "Compared with PC botnets this was an unsophisticated attack," said Conway. "However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down."

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it's a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tibor Klampar
50%
50%
Tibor Klampar,
User Rank: Apprentice
12/20/2012 | 3:03:09 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
Android.. Dream come true for malware developers..
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
12/20/2012 | 12:36:36 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
EXTREME MicroKlunk Redmond FUD!

99.9% of all Android users do not use 3rd party download sites.
They use Google Play which is 100% safe from malware.

No matter how much Mafiasoft FUD is spewed, NO one is going to be stupid
enough to buy a WIndoZe 8 Virus Trap phone that reboots 25 times a day
and freezes up constantly.

kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
12/19/2012 | 8:15:15 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
These types of scams are fairly rudimentary, but worrisome: when these attacks become more convincing and sophisticated, the Android platform could provide the bad guys massive numbers of prospective bots.

Kelly Jackson Higgins, Senior Editor, Dark Reading
ukjb
50%
50%
ukjb,
User Rank: Apprentice
12/19/2012 | 8:01:42 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
FUD
Stick to Google Play and you will be fine.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...