Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

From an attacker's perspective, malware doesn't need to be elegant or sophisticated; it just needs to work.

That's the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games--such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City--for free.

[ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members' Personal Information. ]

Despite the apparent holiday spirit behind the messages, however, it's just a scam. "If you do download this 'spamvertised' application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware's author," according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones "to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server," said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. "Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell," said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware's creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: "You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!"

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than "fakeware" distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions -- such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, "not many people read the fine print when installing Android applications," said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator's botnet. At that point, the malware immediately "phones home" to a command-and-control server via HTTP to receive further instructions. "Typically a message and a list of 50 numbers are returned," said Conway. "The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers."

Again, the Android malware used to build the accompanying SMS-spewing botnet isn't sophisticated, but it does appear to be earning its creator money. "Compared with PC botnets this was an unsophisticated attack," said Conway. "However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down."

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it's a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tibor Klampar
50%
50%
Tibor Klampar,
User Rank: Apprentice
12/20/2012 | 3:03:09 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
Android.. Dream come true for malware developers..
johnitguru
50%
50%
johnitguru,
User Rank: Apprentice
12/20/2012 | 12:36:36 AM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
EXTREME MicroKlunk Redmond FUD!

99.9% of all Android users do not use 3rd party download sites.
They use Google Play which is 100% safe from malware.

No matter how much Mafiasoft FUD is spewed, NO one is going to be stupid
enough to buy a WIndoZe 8 Virus Trap phone that reboots 25 times a day
and freezes up constantly.

kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
12/19/2012 | 8:15:15 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
These types of scams are fairly rudimentary, but worrisome: when these attacks become more convincing and sophisticated, the Android platform could provide the bad guys massive numbers of prospective bots.

Kelly Jackson Higgins, Senior Editor, Dark Reading
ukjb
50%
50%
ukjb,
User Rank: Apprentice
12/19/2012 | 8:01:42 PM
re: Attack Turns Android Devices Into Spam-Spewing Botnets
FUD
Stick to Google Play and you will be fine.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31618
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...