Anatomy of an Android SMS virus - watch out for text messages, even from your friends!

Filed Under: Android, Featured, Google, Malware

Thanks to Jagadeesh Chandraiah and Ferenc László Nagy of SophosLabs for their technical assistance with this article.


SophosLabs just brought to our attention an item of malware of a sort you don't often see these days.

It's an Android virus, or more precisely, a worm, known as Andr/SlfMite-A.

(For all that we are saying "you don't often see worms," we did report on a short-lived Twitter worm just two weeks ago, but self-replicating malware is nevertheless fairly rare.)

Fifteen to twenty years ago, the malware scene was almost all about viruses and worms: although the internet was popular, only a small minority went online regularly, so malware couldn't rely on sitting around in inboxes or on websites waiting to be clicked.

Viruses and worms had to make their own running, and they took the business of spreading into their own hands, automatically seeking out new files or computers to infect, or churning out emails with themselves as attachments or download links.

That's how Andr/SlfMite-A gets around, though it sends itself in the form of an SMS containing a web link, rather than as a self-contained attachment.

So, if you allow yourself to get infected, you don't just put yourself at risk, you immmediately put your top 20 contacts at risk, too.

The virus immediately reads from your contact list, and sends each of the top 20 an SMS by name, like this:

The difference between the email viruses of yesteryear and today's spam-driven malware is that the email viruses almost always came from someone you knew, and often from someone you trusted perfectly well.

That gave you much more reason to open the attachments or click on the links, even if you weren't entirely sure how wise that was.

Andr/SlfMite-A is trying to take the sort of same advantage, relying on the mutual trust that often exists between Android-using contacts.

After all, you probably don't routinely ignore SMSes from your friends, no matter how unusual the messages might look.

If you do click through to the link and install the app "recommended" by your friend, the cycle continues: you immediately SMS your top 20 contacts, and so on.

In theory, a virus like this could spread exponentially, with one victim in Generation One becoming 20 in Generation Two, 400 in Generation Three, and so on, with 20N-1 victims in Generation N.

In practice, of course, this never happens: many of the potential victims in each generation will delete the message, or ignore it, or have it blocked by their anti-virus.

Also, two friends are likely to be in each other's top 20 contacts, so if you infect your friend, she'll soon try to infect you back, which (if nothing else) ought to give you a hint that something is wrong.

Nevertheless, computer worms that spread via lists of friends can quickly produce a lot of traffic, and the volume alone can be troublesome.

The Andr/SlfMite-A virus doesn't just spread, however.

While it's texting all your friends, it's also downloading an app onto your device.

The app we saw when we tested the virus seems to be a front end for Mobogenie, an Android app marketplace that positions itself as a mainstream alternative to Google's Play Store.

→ The malware fetches its "payload" app via a goo.gl shortlink; in our tests, that link went through several redirections, meaning that the app that is foisted onto your Android could easily be changed, varying according to time, location, or even just the whim of the crooks.

Mobogenie is no stranger to controversy.

As Naked Security writer John Zorabedian wrote in April 2014, Mobogenie has been associated with so-called "drive-by installs" before, triggering numerous complaints and prompting the company to publish a statement on Google's own Play Store:

Recently we have understood that some of our users have been troubled by the automatic download of Mobogenie on to their Android Phones.

While it has never been our intention to spam any user, we would like to apologise to them for the same. Having learnt that there was a technical issue with one of our promotional partners, we are trying our best to fix it at the earliest.

Team Mobogenie keeps a close eye on all its promotions, and recommends the download of Mobogenie application only from reliable sources such as Google Play, Mobogenie.com and other partner networks. We ensure that there shall be no more inconvenience caused to any Android user in future.

That assurance notwithstanding, today's Play Store message states something that is similar yet slightly different:

Recently, it has come to our attention that some of our users have been troubled by spam from Mobogenie.

Although we have never intentionally distributed spam advertisements to our users, we would like to take this opportunity to apologise to all of you for any inconvenience this spam may have caused. Having now identified a technical issue with one of our promotional partners,we are currently trying our best to fix this problem as soon as possible.

It looks as though Mobogenie's technical issues with promotional partners are ongoing.

What to do?

The silver lining to malware that spreads this way is that it uses a three-stage infection strategy, and all three stages have to succeed for the virus to work.

With a decent anti-virus and security app in place, that gives you a three-fold chance to win.

For example, here's Sophos Free Anti-Virus and Security for Android in action:

Also, don't forget that by sticking to the Google Play Store for your Android software downloads, you reduce the risk of being plagued by rogue apps of this sort.

The Play Store is not perfect, but Google applies at least some oversight to it, and has a mechanism that allows it to kill off apps retrospectively, zapping them even if you have already downloaded and installed them.

If there are alternative markets you would like or need to use, try enabling the Allow installation of apps from unknown sources option only when you actually need it, and turning it off afterwards.

The handy Security Advisor feature in Sophos Anti-Virus will remind you if you forget:

Lastly, why not take a look at our mobile security tips for keeping the crooks away?

Free download (no registration, no time-limit)...

, , , , , , , ,

You might like

4 Responses to Anatomy of an Android SMS virus - watch out for text messages, even from your friends!

  1. Just the type of reason I need to steer clear of so called market leaders like Android... I just interact with my core friends & family via usual social media, & as much of that as possible via mobile web (not apps); & over wifi not mobile data - WP8 works fine; running costs are minimised; & security maintained. Not rocket science. It's the incessant obsession with apps that allows crooks & spammers & advertisers to keep up their plagues!

    • Courtney · 123 days ago

      Um. You *are* aware that WP is just as susceptible to attacks like this, right? With the latest WP OS being app-oriented, it's just as important to have an anti-virus program on there as it is on any other device these days. Even web surfing on phones and tablets these days can open you up to virii and malware similar to computers.

  2. silva bilvadore · 123 days ago

    Nice article, though title should have been SMS Worm instead "virus" , this isn't exactly virus is it ?

    • Paul Ducklin · 123 days ago

      This is indeed "exactly" a virus. And, as I was careful to point out, it is also a worm.

      Worms are a subset of viruses are a subset of all malware.

      The set of viruses can be split very loosely into two main subcategories: parasitics, which cannot work on their own and need a host file to infect and act as a carrier, and worms, which are self-contained and therefore act as their own host.

      All other things being equal, worms are easier to disinfect than viruses, because there is no original host file to restore (and in many cases, parasitic viruses infect "lossily," in other words, there is no way to remove the fly and be sure you have left behind only ointment).

      You will hear some people insisting that viruses and worms are disjoint sets. You may ignore them. In fact, you may need to ignore them - some of them will spend a lonnnnnnng time trying to convince you they are right.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog