Android botnet wants to sell you Viagra, penny stocks and e-cards

Filed Under: Android, Botnet, Malware, Mobile, Spam

Android pill pusherThe plot of the Android malware story thickens. SophosLabs has discovered the latest way to monetize mobile malware, using it as a spam botnet.

Historically mobile malware has made money from capturing SMS messages used for online banking authentication and sending premium-rate SMS messages to collect the subscription fees.

The messages appear to originate from compromised Google Android smartphones or tablets. All of the samples at SophosLabs have been sent through Yahoo!'s free mail service and contain correct headers and DKIM signatures.

The first samples we analyzed were text only, but some other samples also contain images. An example pharmacy spam reads:

Incredible National Rx Store
Now offering medications for Weight Loss, Diabetics, Pain Reduction!!!
Reduced Prescription's
Viagra+Cialis Super Active, Alprazolam, Vicodin etc...
Pick Up You're Meds for 75% Off Today

Sent from Yahoo! Mail on Android

Some of the image spams not only have a graphic, but an animated one!

Android spam with animated pharma GIF

You can imagine the cellular phone bill you might receive if your phone is being used to download and spam out thousands of these messages.

Even if you thought you were going to buy some counterfeit Viagra from criminals because you are too embarrassed to see your physician, it is still a classic bait and switch. The URL leads to a knock-off "herbal Viagra" the performs miracles with no side effects.

It is likely that Android users are downloading Trojanized pirated copies of paid Android applications. The samples we analyzed originated in Argentina, Ukraine, Pakistan, Jordan and Russia.

The widespread nature of source devices is unusual as most Android malware is not downloaded from Google Play, but localized "off market" download sites.

Sophos Mobile SecurityAndroid users should exercise caution when downloading applications for their devices and definitely avoid downloading pirated programs from unofficial sources. Google, Amazon and others may not be perfect at keeping malware off of their stores, but the risk increases dramatically outside of their ecosystems.

Considering the risks, why not give Sophos Mobile Security for Android a try? It's free and also allows you to track your device if it is lost or stolen. You can find it on Google Play.

Update: It is important to note that we do not have the malware, so it is not confirmed that it originates from Android devices. For more information read our follow up with all of the details.

Special thanks to Savio Lau at SophosLabs Vancouver for spotting this spam and performing the research necessary for this post.

, , , , ,

You might like

3 Responses to Android botnet wants to sell you Viagra, penny stocks and e-cards

  1. Paul Thomas · 842 days ago

    Seeing as all of the Yahoo! email accounts are in the same format, it's more likely the Yahoo! Android account creation API has been circumvented to allow account creation. Not entirely convinced these are actually being sent by Android devices.

  2. felisa · 710 days ago

    Could you give me this virus?
    Because I want to analysis it .
    Thank you very much.

  3. If you work for a legitimate anti-virus vendor, please contact our labs via the usual channels. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.