Rogue Android Devs Plant SMS-Crazy Trojan in App

Android smartphone users in Russia have been hit by a Trojan that, once installed, starts spouting off SMS text messages to premium numbers, Kaspersky Labs revealed on Tuesday.

The attack is sent through a fake codec — a media player application — that users are asked to download and install.

Once it’s been installed, the Trojan begins sending SMS messages to premium rate numbers, racking up charges on the user’s account.

The attack may be a proof of concept test by the malware authors because it appears to be limited to Russia.

About the Android Trojan

Kaspersky Labs has named the Trojan the “Trojan-SMS AndroidOS Fake Player.” It’s being distributed from a malicious website, Dennis Maslennikov, Kaspersky’s mobile research group manager, told LinuxInsider.

“You have to click the app manually to download and install it; there’s no drive-by download,” Maslennikov said.

When a victim tries to install the app, Android will ask him or her to grant permission for the app to send SMS messages, read or delete data and collect data about the phone and the phone ID, Maslennikov warned. So far, Kaspersky hasn’t been able to find out who’s behind the malware.

“Our application permissions model protects against this type of threat,” Google spokesperson Jay Nancarrow told LinuxInsider.

Users should become suspicious when the Android operating system asks them for permission to send SMS messages or use services that cost money, such as making premium phone calls, Nancarrow pointed out.

He also warned that users should be careful when installing apps that are not on Google’s official application store, the Android Market. The so-called Fake Player is not sold through the Android Market.

“Users must explicitly change a default setting on their smartphones in order to permit the installation of non-Android Market applications,” Nancarrow said.

‘Yes You Can’ Doesn’t Cut It

However, this Trojan exploit underscores the flaws in this permissions model because it assumes the user has in-depth knowledge of the apps he or she is about to install, according to Kevin Morgan, chief technology officer at Arxan Technologies.

“The security solution in Android is wrapped around capabilities that are explicitly granted or not to applications on installation so that the user supposedly has control,” Morgan told LinuxInsider.

“The problem with this model is that users don’t really know what capabilities an application should or shouldn’t have, and generally they just say yes to all the capability requests,” he explained.

Currently, spam and SMS scams constitute 75 percent of the malware attacks in the mobile market, Dror Shalev, chief technology officer at DroidSecurity, pointed out.

The Other Android Bug

Meanwhile, British security firm MWR InfoSecurity announced it found a flaw in the WebKit browser used in Android versions 1.6 to 2.1, the Guardian reported. This lets attackers remotely access victims’ Internet history, including the sites visited, cookies, usernames and passwords.

The attackers do this by injecting code from a poisoned website or through an unsecured WiFi network.

MWR InfoSecurity reportedly informed Google of the vulnerability in May, and the flaw has been fixed in Android 2.2.

“The issue noted by MWR InfoSecurity occurred in WebKit and is not Android-specific,” Google’s Nancarrow pointed out. “It has been fixed in the latest version of our Android software. We are not aware of any users having been affected by this bug to date.”

Openness May Mean Having to Say Sorry

The Trojan-SMS AndroidOS Fake Player can be deleted manually through the Android uninstaller, Kaspersky’s Maslennikov said.

Android smartphone owners can protect themselves by only visiting websites and using WiFi networks they can trust, Google’s Nancarrow remarked.

However, could more be done to safeguard Android users? The problem may be that the very openness that has made Android so popular.

“Users can install apps from anywhere, not only from the Android marketplace, and that differs from the [App Store] distribution model, which is a good example of strong application review,” Maslennikov said.

“The two pieces of malware hitting the Android OS now are examples of why application providers for Android need to protect their apps from code modification through, for example, the insertion of Trojans,” Arxan’s Morgan said. “More fundamentally, the issue is, how can you have an application-extendable device and not run the risk that users will load applications that contain malware?”

Just Testing, Comrade

The Trojan-SMS AndroidOS Fake Player sends SMS messages to two premium numbers, 3353 and 3354, which only work in Russia, DroidSecurity’s Shalev told LinuxInsider.

“That makes it a local attack, which can be considered a proof of concept attack,” Shalev added. “This technique is widely used by rogue software developers in Europe.”

Virus writers in Russia focus on creating Trojan-SMS programs, wrote Alexander Gostev, head of Kaspersky’s global research and analysis team. One of their most popular scams is to have their malware autosend messages to short numbers. The cost of the texts is deducted from the accounts of the victims.

Most SMS Trojans are presented as applications that can be used to send free SMS messages, get free Internet access or access erotic or pornographic content, Gostev wrote.

SMS fraud is becoming increasingly popular with cybercriminals, and the threat is international, Gostev wrote.

Mobile malware may hit even more victims over time as mobile devices and apps become more popular.

“We are facing a huge problem in mobile security with browser bugs, WebKit and JavaScript,” DroidSecurity’s Shalev warned.

1 Comment

  • I always enjoy reading articles on this site. The articles are well balanced and easy to follow.

    Considering the amount of energy Kaspersky Labs has played on this issue and the announcement of their product line to include mobile security makes me wonder if they have something to do with this "proof of concept". That is just what it is.

    Kaspersky Labs has even gone as far as labeling this Trojan, which it is not, and have included it in their database. What database? If Kaspersky Labs doesn’t have a mobile security solution now, is this a test scenario used in their pre-production suite they are suggesting will become available in 2011?

    The media, if you are to call it that, are simply spreading rumors without any facts other than it sends SMS messages at $6 per messag and labeling it as malware. There is no mention of the name of the application or the site which it is available. Isn’t "unknown" suspicious in itself coming from a security vendor who knows so much about what the code does?

    Don’t they realize that you have to properly sign the application with cert’s before anyone can install the software on ANY Android device? "Unknown Software" doesn’t mean Unsigned.

    This leads to another question, how does Kaspersky Labs have so much knowledge of this? Including the SMS address and cost of $6.00 per message. Then the application stops after 3. How did they find this "in the wild"? There isn’t any software available on the market to detect and report the number of installations for "malware", yet.

    All fingers point to a Kaspersky Labs as being the party involved in creating, distributing and exploiting this application. They are the only ones to gain from such activity.

    Virus protection is not needed on Android if you do not install a 3rd party ROM or "root it". At this point, your at the mercy of the ROM development groups best intention. The most trusted is Paul O’Brian, Enomther and CyanogenMOD who pride themselves with excellence and pushing the devices beyond their original design spec and functionality.

    Keeping in mind that Google designed Android with the end user in mind and included a feature to allow users to know what the application permission requirements are prior to installation as stated by Jay Nancarrow.

    Where exactly is this threat? If there isn’t anything available for consumers to stop them from installing this, then its Kaspersky Lab’s responsibility to notify the public of the site and .apk filename that sends these SMS messages.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Richard Adhikari
More in Mobile

LinuxInsider Channels